Keycloak is an open source identity and access management solution.
Warning: this service is a new addition to the playbook. It may not fully work or be configured in a suboptimal manner.
This service requires the following other services:
To enable this service, add the following configuration to your vars.yml
file and re-run the installation process:
########################################################################
# #
# keycloak #
# #
########################################################################
keycloak_enabled: true
keycloak_hostname: mash.example.com
keycloak_path_prefix: /keycloak
keycloak_environment_variable_keycloak_admin: your_username_here
# Generating a strong password (e.g. `pwgen -s 64 1`) is recommended
keycloak_environment_variable_keycloak_admin_password: ''
########################################################################
# #
# /keycloak #
# #
########################################################################
In the example configuration above, we configure the service to be hosted at https://mash.example.com/keycloak
.
You can remove the keycloak_path_prefix
variable definition, to make it default to /
, so that the service is served at https://mash.example.com/
.
On first start, the admin user account will be created as defined with the keycloak_environment_variable_keycloak_admin
and keycloak_environment_variable_keycloak_admin_password
variables.
On each start after that, Keycloak will attempt to create the user again and report a non-fatal error (Keycloak will continue running).
Subsequent changes to the password will not affect an existing user's password.
After installation, you can go to the Keycloak URL, as defined in keycloak_hostname
and keycloak_path_prefix
and log in as described in Authentication.
Follow the Keycloak documentation or other guides for learning how to use Keycloak.
- OAuth2-Proxy - A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, Authentik, Keycloak, and others) to SSO-protect services which do not support SSO natively