Guide: Joomla OAuth Client Integration with Keycloak Single Sign-On (SSO)


Integration of Keycloak Single Sign-on( Keycloak SSO ) with Joomla using OAuth 2.0 Protocol. The miniOrange Joomla OAuth / OpenID Connect Single SIgn-on (SSO) plugin makes it simple to set up Keycloak SSO into Joomla and enable secure login into Joomla. As a result, users can log in to Joomla and access the site by authenticating with their Keycloak identity provider credentials.
Visit our Joomla OAuth Client Plugin webpage to learn more about the features and plans we offer for the Joomla OAuth Single Sign-on (OAuth & OpenID connect) plugin.

Plugin Download and Video Setup Guide


Joomla OAuth Client Handbook

This detailed Handbook for the Joomla OAuth/OpenID Single Sign On plugin, gives an in depth explanation of the features of the plugin. You can refer to the handbook at anytime - it is always available to you, either via this link , or directly from the plugin for quicker access.

Setup Keycloak as OAuth Provider with Joomla as OAuth Client

  • Download the zip file for the miniOrange OAuth Client plugin for Joomla from the link here .
  • Login into your Joomla site’s administrator console.
  • From Menu, click on System, then under Install section click on Extension.
  • Keycloak Single Sign-On (SSO) OAuth/OpenID
  • Upload the downloaded zip file to install the Joomla OAuth Client plugin.
  • Keycloak Single Sign-On (SSO) OAuth/OpenID
  • After successful installation of plugin, click on Start Using miniOrange OAuth Client plugin button.
  • Keycloak Single Sign-On (SSO) OAuth/OpenID
  • Copy the Callback/Redirect URL from Configure OAuth tab of Joomla OAuth Client plugin.
  • Keycloak Single Sign-On (SSO) OAuth/OpenID
  • First of all, Download Keycloak and install it.
  • Start Server: Start the keycloak server by running the _standalone.sh_ file

    Root Directory of keycloak/bin/standalone.sh

  • Add Realm: Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.
  • Keycloak SSO OAuth openid-connect  add realm
  • Create Realm: Enter Realm Name and click on CREATE to add realm.
  • Keycloak SSO OAuth openid-connect  add realm
  • Create Role: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.
  • Keycloak SSO OAuth openid-connect  Add Role
  • Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.
  • Keycloak SSO OAuth openid-connect  Add User
  • User Configuration: After user is created following action needs to be performed on it.
    • Setting a password for it so click on Credentials and set a new Password for the user.
    • Keycloak SSO OAuth openid-connect  Credentials

      NOTE : Disabling Temporary will make user password permanent


  • Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.
  • Keycloak SSO OAuth openid-connect  Role Mapping
  • Create groups: Click on the Groups and choose New to create a new group.
  • Keycloak SSO OAuth openid-connect  Create Group
  • Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.
  • Keycloak SSO OAuth openid-connect  Assign User to Group
  • Create OpenID client: Click on the Clients and choose create to create a new client. Enter any random string as Client ID and keep it handy because you will need it in the next step. Select client protocol openeid-connect and select Save.
  • Keycloak SSO OAuth openid-connect  Create Openid Connect
  • Enter Change Access Type: Afterclient is created change it's access type to confidential
  • Keycloak SSO OAuth openid-connect  Change Access Type
  • Enter Valid Redirect URLs: Copy callback URL (Enter from miniOrange Oauth Client plugin which you copied in the this steps.) in the last step and then click on SAVE.
    Ex -- https://oauth/callback
  • Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in client select Mappers and then click on create. Select mapper type Group Membership and enter name and token claim-name i.e the attribute name corresponding which groups will be fetched and click on Save
  • Keycloak SSO OAuth openid-connect  Group Mapper

    Note: -- If full path is on group path will be fetched else group name will be fetched.

  • Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here.
  • Client C Oauth SSO redentials
  • You have successfully completed your Keycloak OAuth Server side configurations



  • Scope: email profile
    Authorize EndPoint: <Keycloak base URL>/realms/{realm-name}/protocol/openid-connect/auth
    Access Token Endpoint: <Keycloak base URL>/realms/{realm-name}/protocol/openid-connect/token
    Get User Info Endpoint: <Keycloak base URL>/realms/{realm-name}/protocol/openid-connect/userinfo

Attributes Mapping and SSO with Keycloak

  • Once you click on Test Configuration button, You will be able to see the attributes in the Test Configuration output as follows.
  • Keycloak Single Sign-On (SSO) OAuth/OpenIDl
  • Now you have to do Attribute Mapping to perform SSO. Select the attribute name for Email and Username from dropdown. Then click on Save Attribute Mapping button.
  • Keycloak Single Sign-On (SSO) OAuth/OpenIDl
  • Now you can use Login / SSO URL to perform SSO.
  • Keycloak Single Sign-On (SSO) OAuth/OpenIDl

In this Guide, you have successfully configured Joomla Keycloak Single Sign-On (SSO) by configuring Keycloak as OAuth Provider and Joomla as OAuth Client using our Joomla OAuth Client plugin.This solution ensures that you are ready to roll out secure access to your Joomla site using Keycloak login credentials within minutes.

Additional Resources


Mail us on joomlasupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com