@@ -15,10 +15,11 @@ weight: 2
1515It’s widely trusted for secure authentication in on-premise deployments, enabling organizations to centralize user identity and integrate easily with various services.
1616
1717This step-by-step guide will help you:
18- - Register a new OIDC client in Keycloak.
19- - Set up an OIDC Connector in ** Pydio Cells** .
20- - Map user attributes from Keycloak (using LDAP directory) to user roles in Pydio Cells.
21- - Understand how to fix session-related issues and debug your configuration.
18+
19+ * Register a new OIDC client in Keycloak.
20+ * Set up an OIDC Connector in ** Pydio Cells** .
21+ * Map user attributes from Keycloak (using LDAP directory) to user roles in Pydio Cells.
22+ * Understand how to fix session-related issues and debug your configuration.
2223
2324
2425## S1. Register a New OIDC Client in Keycloak
@@ -37,27 +38,30 @@ Clients → Create Client
3738![ ] ( ../images/connectors/keycloak/create-new-client.png )
3839
3940** Example values:**
40- - ** Client ID:** ` demo.cells.pydio `
41- - ** Name:** ` Cells Demo `
41+
42+ * ** Client ID:** ` demo.cells.pydio `
43+ * ** Name:** ` Cells Demo `
4244
4345![ ] ( ../images/connectors/keycloak/keycloak-new-client-0.png )
4446
4547
4648** Configure redirect and URLs:**
47- - ** Root URL:** Pydio Cells URL
48- - ** Home URL:** Same as above
49- - ** Valid Redirect URIs:** Callback URL generated by the Connector in Step 2
50- - ** Valid Post Logout Redirect URIs:** Leave empty
51- - ** Web Origins:** Pydio Cells URL
49+
50+ * ** Root URL:** Pydio Cells URL
51+ * ** Home URL:** Same as above
52+ * ** Valid Redirect URIs:** Callback URL generated by the Connector in Step 2
53+ * ** Valid Post Logout Redirect URIs:** Leave empty
54+ * ** Web Origins:** Pydio Cells URL
5255
5356![ ] ( ../images/connectors/keycloak/keycloak-create-client-3.png )
5457
5558
5659
5760** New Client Capability:**
58- - ** Cells Authentication:** Yes
59- - ** Authorization:** Off
60- - ** Authentication Flow:** Standard
61+
62+ * ** Cells Authentication:** Yes
63+ * ** Authorization:** Off
64+ * ** Authentication Flow:** Standard
6165
6266![ ] ( ../images/connectors/keycloak/keycloak-new-client-2.png )
6367
@@ -79,9 +83,10 @@ Settings → Authentication → OAUTH2/OIDC → Create New Connector
7983```
8084
8185In the pop-up:
82- - ** Connector type:** OpenID Connect
83- - ** ID:** ` keycloak ` (won't be changed)
84- - ** Name:** Example: ` SSO with Keycloak ` (can be customized later)
86+
87+ * ** Connector type:** OpenID Connect
88+ * ** ID:** ` keycloak ` (won't be changed)
89+ * ** Name:** Example: ` SSO with Keycloak ` (can be customized later)
8590
8691The ** Issuer (Canonical URL)** updates automatically based on the ID. This URL acts as the callback where Keycloak sends tokens after authentication.
8792
@@ -94,18 +99,20 @@ Pause here, return to **Step 1**, and add the generated callback URL to the clie
9499
95100Once you have your ** Client ID** and ** Client Secret** , continue filling out:
96101
97- - ** Issuer - Canonical URL:**
98- Format: ` https://domain/realms/realm-name `
99- Example: ` https://sso.keycloak.pydio/realms/master `
102+ * ** Issuer - Canonical URL:**
100103
101- - ** Client ID:** The client ID from Step 1 (` demo.cells.pydio ` )
102- - ** Client Secret:** Copied from Keycloak.
104+ - Format: ` https://domain/realms/realm-name `
105+ - Example: ` https://sso.keycloak.pydio/realms/master `
106+
107+ * ** Client ID:** The client ID from Step 1 (` demo.cells.pydio ` )
108+ * ** Client Secret:** Copied from Keycloak.
103109
104110![ ] ( ../images/connectors/keycloak/cells-new-connector-3.png )
105111
106112** Additional options:**
107- - ** Insecure Skip Email Verified:** Set ` On ` if using a trusted directory.
108- - ** Get User Info:** On
113+
114+ * ** Insecure Skip Email Verified:** Set ` On ` if using a trusted directory.
115+ * ** Get User Info:** On
109116
110117![ ] ( ../images/connectors/keycloak/cells-new-connector-4.png )
111118
@@ -129,12 +136,13 @@ User Federation → Select LDAP Provider → Mappers → Create Mapper
129136```
130137
131138Example mapper:
132- - ** Name:** ` memberOf to group `
133- - ** Mapper type:** ` user-attribute-ldap-mapper `
134- - ** User Model Attribute:** ` cellsgroups `
135- - ** LDAP Attribute:** ` memberOf `
136- - ** Read Only:** On
137- - ** Always Read Value From LDAP:** On
139+
140+ * ** Name:** ` memberOf to group `
141+ * ** Mapper type:** ` user-attribute-ldap-mapper `
142+ * ** User Model Attribute:** ` cellsgroups `
143+ * ** LDAP Attribute:** ` memberOf `
144+ * ** Read Only:** On
145+ * ** Always Read Value From LDAP:** On
138146
139147![ ] ( ../images/connectors/keycloak/keycloak-ldap-memberof-mapping.png )
140148
@@ -146,22 +154,23 @@ Example mapper:
146154Client Scopes → Create Client Scope
147155```
148156
149- - ** Name:** ` cellsscope `
150- - ** Description:** Defines ` cellsgroups ` claim
157+ * ** Name:** ` cellsscope `
158+ * ** Description:** Defines ` cellsgroups ` claim
151159
152160![ ] ( ../images/connectors/keycloak/keycloak-client-scope-settings.png )
153161
154162Add a new mapper in the scope:
155- - ** Mapper Type:** User Attribute
156- - ** Name:** User Group Mapper
157- - ** User Attribute:** ` cellsgroups `
158- - ** Token Claim Name:** ` cellsgroups `
159- - ** Claim JSON Type:** string
160- - ** Add to ID Token:** On
161- - ** Add to Access Token:** On
162- - ** Add to Userinfo:** On
163- - ** MultiValued:** On
164- - ** Aggregate attribute values:** On
163+
164+ * ** Mapper Type:** User Attribute
165+ * ** Name:** User Group Mapper
166+ * ** User Attribute:** ` cellsgroups `
167+ * ** Token Claim Name:** ` cellsgroups `
168+ * ** Claim JSON Type:** string
169+ * ** Add to ID Token:** On
170+ * ** Add to Access Token:** On
171+ * ** Add to Userinfo:** On
172+ * ** MultiValued:** On
173+ * ** Aggregate attribute values:** On
165174
166175![ ] ( ../images/connectors/keycloak/keycloak-mapping-usermodel-attribute-to-claim.png )
167176
@@ -190,8 +199,8 @@ When the user logs in through Keycloak, the ID Token will look like this:
190199
191200In the Cells Connector configuration, click ` + ADD RULE ` :
192201
193- - ** Left Attribute:** ` cellsgroups `
194- - ** Right Attribute:** ` Roles `
202+ * ** Left Attribute:** ` cellsgroups `
203+ * ** Right Attribute:** ` Roles `
195204
196205![ ] ( ../images/connectors/keycloak/cells-mapping-roles.png )
197206
@@ -205,9 +214,9 @@ This is often due to a missing **`audience` claim** in the token, which is requi
205214
206215## The Root Cause
207216
208- - After authentication, the client gets an ** AccessToken** and ** RefreshToken** .
209- - By default, the AccessToken expires in ~ 10 minutes. Near expiry, the client tries to refresh it.
210- - If the token is missing an ` audience ` claim, the refresh request fails, resulting in a forced logout.
217+ * After authentication, the client gets an ** AccessToken** and ** RefreshToken** .
218+ * By default, the AccessToken expires in ~ 10 minutes. Near expiry, the client tries to refresh it.
219+ * If the token is missing an ` audience ` claim, the refresh request fails, resulting in a forced logout.
211220
212221
213222## How to Test
@@ -251,9 +260,9 @@ cells admin config set "pydio.web.oauth" "staticClients[0]/audience[0]" "https:/
251260
252261Because there are multiple moving parts between Keycloak and Pydio Cells, start Cells in ** debug mode** to:
253262
254- - See detailed error messages.
255- - Inspect full ID Tokens sent by Keycloak.
256- - Verify your claim mappings.
263+ * See detailed error messages.
264+ * Inspect full ID Tokens sent by Keycloak.
265+ * Verify your claim mappings.
257266
258267## Keep Server Clocks in Sync
259268
0 commit comments