Set up Keycloak for IAM

Introduction

Learn how to deploy and configure Keycloak as an Identity and Access Management (IAM) solution on Atlas Cloud. This guide will walk you through setting up Keycloak using the web interface for centralized user authentication and authorization.

Prerequisites

Before you begin, ensure you have:

• An Atlas Cloud account with admin privileges
• A Virtual Machine instance (see Creating your first cloud service)
• A public IP address assigned to your VM
• Basic knowledge of Linux command line

Create a Virtual Machine for Keycloak

If you haven’t already created a VM, follow our guide in Creating your first cloud service. It will cover the VM prerequisites.

Keycloak Requirements: When creating your VM, ensure:

• Template: Ubuntu 24.04 LTS
• CPU: 2 cores minimum
• Memory: 4 GiB minimum
• Root Disk: 20 GiB minimum

Install Java and Keycloak

Connect to your VM via SSH and install the required components:

1. Update System Packages

sudo apt update && sudo apt upgrade -y

2. Install Java 21

Keycloak requires Java 17 or later:

sudo apt install openjdk-21-jdk -y
java -version

3. Download and Install Keycloak

# Download Keycloak
wget https://github.com/keycloak/keycloak/releases/download/23.0.0/keycloak-23.0.0.tar.gz
 
# Extract the archive
tar -xzf keycloak-23.0.0.tar.gz
sudo mv keycloak-23.0.0 /opt/keycloak
sudo chown -R $USER:$USER /opt/keycloak

Configure Keycloak

1. Set Up Admin User

cd /opt/keycloak
./bin/kc.sh start-dev --http-port=8080 &

Wait for Keycloak to start, then create an admin user:

./bin/add-user-keycloak.sh -u admin -p 'YourSecurePassword123!'

2. Configure Keycloak for Production

Create a configuration file:

nano /opt/keycloak/conf/keycloak.conf

Add the following configuration:

# Database configuration
db=postgres
db-url=jdbc:postgresql://localhost:5432/keycloak
db-username=keycloak
db-password=keycloak_password
 
# Network configuration
http-port=8080
https-port=8443
hostname=keycloak.your-domain.com
 
# Production mode
production-mode=true

3. Install PostgreSQL (Recommended for Production)

sudo apt install postgresql postgresql-contrib -y
sudo -u postgres psql

In PostgreSQL shell:

CREATE USER keycloak WITH PASSWORD 'keycloak_password';
CREATE DATABASE keycloak OWNER keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
\q

Start Keycloak Service

1. Create a Systemd Service

sudo nano /etc/systemd/system/keycloak.service

Add the following content:

[Unit]
Description=Keycloak Server
After=network.target
 
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start
TimeoutStartSec=600
TimeoutStopSec=600
 
[Install]
WantedBy=multi-user.target

2. Create Keycloak User

sudo useradd -r -s /bin/false keycloak
sudo chown -R keycloak:keycloak /opt/keycloak

3. Enable and Start the Service

sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo systemctl start keycloak
sudo systemctl status keycloak

Configure Firewall

Open the necessary ports:

sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw reload

Access Keycloak Admin Console

1. Open your web browser and navigate to http://your-vm-ip:8080
2. Click “Administration Console”
3. Log in with the admin credentials you created earlier
4. You’re now in the Keycloak admin console!

Basic IAM Configuration

1. Create a New Realm

1. Hover over “Master” in the top-left corner and click “Add realm”
2. Enter a realm name (e.g., “my-app”)
3. Click “Create”

2. Create Users

1. Navigate to “Users” in the left menu
2. Click “Add user”
3. Fill in user details:
   • Username: john.doe
   • Email: john.doe@example.com
   • First Name: John
   • Last Name: Doe
4. Click “Save”
5. Go to the “Credentials” tab and set a password

3. Create Roles

1. Navigate to “Roles” in the left menu
2. Click “Add Role”
3. Enter role name (e.g., “admin”, “user”, “readonly”)
4. Click “Save”

4. Assign Roles to Users

1. Go to “Users” and select a user
2. Click “Role mapping” tab
3. Select roles from “Available Roles” and click “Add selected”

5. Create a Client Application

1. Navigate to “Clients” in the left menu
2. Click “Create”
3. Configure client settings:
   • Client ID: my-web-app
   • Client Protocol: openid-connect
   • Root URL: http://localhost:3000
4. Click “Save”
5. Set “Access Type” to “confidential” for server applications or “public” for SPA/mobile apps

Next Steps

Your Keycloak IAM server is now ready! You can:

• Integrate your applications using OpenID Connect or SAML
• Configure social identity providers (Google, GitHub, etc.)
• Set up multi-factor authentication
• Configure user federation with LDAP or Active Directory

For more advanced configuration, refer to the Keycloak documentation.

Congratulations! You’ve successfully deployed Keycloak as your IAM solution on Atlas Cloud 🎉