Keycloak Single Sign-on ( SSO ) Integration with Drupal OAuth/OpenID Client

Keycloak Single Sign-on ( SSO ) Integration with Drupal OAuth/OpenID Client


Drupal Keycloak SSO integration will allow you to configure Single Sign-On ( SSO ) login between your Drupal site and Keycloak using OAuth/OpenID protocol. Drupal OAuth/OpenID Connect module gives the ability to enable login using Single Sign-On ( OAuth/OIDC ) into the Drupal site. We provide the Drupal OAuth/OpenID Client module for Drupal 7, Drupal 8, and Drupal 9.
Here we will go through a guide to configure the SSO login between Drupal and Keycloak. By following these steps, users of Keycloak will be able to log into the Drupal site using their Keycloak credentials.
If you have any queries or if you need any sort of assistance in configuring the module, you can contact us at drupalsupport@xecurify.com. If you want, we can also schedule an online meeting to help you configure the Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login module.

Features and Pricing

Know more about Drupal OAuth/OpenID Single Sign On from here.

Pre-requisites: Download

You can download the Drupal OAuth/OpenID Single Sign On module from here.

Steps to configure Keycloak Single Sign-on ( SSO ) login integration with Drupal OAuth / OpenID Providers:

1. Setup Drupal as OAuth Client

  • Login in your Drupal site’s admin console and click on Extend from the top navigation bar.
  • Select the Install new module option to install a new module on your Drupal site.
  • Drupal OAuth & OpenID Connect - Click on Install new module
  • Upload the downloaded zip file of the Module and click on the Install button to continue.
  • Drupal OAuth & OpenID Connect - Click on Upload
  • Select Enable newly added modules.
  • Drupal OAuth & OpenID Connect - Click Enable newly added modules
  • Scroll down till you find miniOrange OAuth Client. Click on the checkbox next to it and click on the Install button to enable the module.
  • Drupal OAuth & OpenID Connect - Scroll down to find miniOrange OAuth Client and enable the module
  • Click on Configuration from the top navigation bar and Select Drupal OAuth Client Configuration.
  • Drupal OAuth & OpenID Connect - Click on Configuration and select Drupal OAuth Client Configuration
  • In the Configure OAuth tab, select Keycloak from the Select Application dropdown.
  • Drupal OAuth & OpenID Connect - In Configure OAuth tab , Select keycloak from Select Application dropdown
  • Copy the callback URL from the Callback / Redirect URL text field and keep it handy.
  • Drupal OAuth & OpenID Connect - In Configure OAuth tab, Copy the callback URL from Callback/Redirect URL

    Please note: A few of the popular service providers like Azure AD, Azure B2C, Facebook etc. support only HTTPS Callback URL (However, HTTP URL will work in the case of localhost). So, currently, if your site is HTTP, you can change it to HTTPS by following the steps listed down below :

  • Go to the Sign In Settings tab.
  • In the Base /Site URL text field, enter your Drupal site’s base/root URL with HTTPS ( For eg. if your site is http://abc.com, you will need to save this value: https://abc.com ).
  • Click on the Update button.
  • Drupal OAuth & OpenID Connect - base url

2. Configure SSO Application in Keycloak

  • First of all, Download Keycloak and install it.
  • Start Server: Start the keycloak server by running the _standalone.sh_ file Root Directory of keycloak/bin/standalone.sh
  • Add Realm: Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.
  • Keycloak - Login Add Realm
  • Create Realm: Enter Realm Name and click on CREATE to add realm.
  • Create Role: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.
  • Keycloak - Add Role
  • Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.
  • Keycloak - SSO Add User
  • User Configuration: After user is created following action needs to be performed on it.
  • Setting a password for it so click on Credentials and set a new Password for the user.
  • Keycloak - Credentials

    NOTE : Disabling Temporary will make user password permanent

  • Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.
  • Keycloak - Role Mapping
  • Create groups: Click on the Groups and choose New to create a new group.
  • Keycloak - Create Group
  • Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.
  • Keycloak - Assign User to Group
  • Create OpenID client: Click on the Clients and choose create to create a new client. Enter client id and select client protocol openeid-connect and select Save.
  • Keycloak - Openid Connect
  • Enter Change Access Type: Afterclient is created change it's access type to confidential
  • Keycloak - Change Access Type
  • Enter Valid Redirect URLs: Copy callback URL from module and then click on SAVE button.
    for eg. https://oauth/callback
  • Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in client select Mappers and then click on create. Select mapper type Group Membership and enter name and token claim-name i.e the attribute name corresponding which groups will be fetched and click on Save.
  • Keycloak - Group Mapper

    Note: -- If full path is on group path will be fetched else group name will be fetched.

3. Integrating Drupal with Keycloak

  • Client ID will be your client name.
  • Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here.
  • Keycloak SSO Client Credentials
  • In Drupal’s Configure OAuth tab and paste the copied Client ID and Client Secret (copied from the Keycloak Portal) in the Client ID and Client Secret text-field.
  • Keycloak - Client Credentials
  • You have successfully completed your Keycloak App OAuth Server side configurations.
  • Enter the following Keycloak Scope and Endpoints:
  • Client ID : from the above step
    Client Secret : from the above step
    Scope: email profile
    Authorize Endpoint: (Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/auth
    Access Token Endpoint: (Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/token
    Get User Info Endpoint: (Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/userinfo

4. Test Configuration of Drupal with Keycloak

  • After successfully saving the configurations, please click on the Test Configuration button to test the connection between Drupal and Keycloak.
  • Keycloak sso login with drupal OAuth OpenID Single Single On Keycloak test Configuration
  • This Test Configuration window will provide you with a list of the attributes that are coming from the Keycloak.
  • Select the Email Attribute from the dropdown menu in which the user's email ID is obtained and click on the Done button.
  • Keycloak sso login with drupal OAuth OpenID Single Single On Keycloak test Configuration successfully
  • Now, in the Attribute & Role Mapping tab, you can also choose the Username Attribute from the dropdown and click on the Save Configuration button.
  • Keycloak sso login with drupal OAuth OpenID Single Single On Keycloak test Configuration successfully

    Please note: Mapping the Email Attribute is mandatory for your login to work.

  • Now log out and go to your Drupal site’s login page. You will automatically find a Login with Keycloak link there. If you want to add the SSO link to other pages as well, please follow the steps given in the image below :
  • Keycloak sso login with drupal OAuth OpenID Single Single On Keycloak test Configuration successfully


24*7 Active Support

If you face any issues or if you have any questions, please feel free to reach out to us at drupalsupport@xecurify.com. In case you want some additional features to be included in the module, please get in touch with us, and we can get that custom-made for you. Also, If you want, we can also schedule an online meeting to help you configure the Drupal OAuth/OpenID Single Sign On module.

Additional Resources

Our Other modules

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com