2023-08-27 10:55:55 +02:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								---
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								title: Keycloak SSO for Kubernetes
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								slug: /deployment/security/keycloak/kubernetes
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								---
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Keycloak SSO for Kubernetes
  
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Check the Helm information [here ](https://artifacthub.io/packages/search?repo=open-metadata ).
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-11-06 13:40:33 +05:30 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Once the `Client Id`  is generated, see the snippet below for an example of where to
							 
						 
					
						
							
								
									
										
										
										
											2023-08-27 10:55:55 +02:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								place the client id value and update the authorizer configurations in the `values.yaml` .
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								The configuration below already uses the presets shown in the example of keycloak configurations, you can change to yours.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								```yaml
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								openmetadata:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  config:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    authorizer:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      className: "org.openmetadata.service.security.DefaultAuthorizer"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      initialAdmins:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        -  "admin-user"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      principalDomain: "open-metadata.org"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    authentication:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      provider: "custom-oidc"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      publicKeys:
							 
						 
					
						
							
								
									
										
										
										
											2024-01-05 17:30:17 +05:30 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      -  "http://{your openmetadata domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens
							 
						 
					
						
							
								
									
										
										
										
											2023-08-27 10:55:55 +02:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								      -  "http://localhost:8081/auth/realms/data-sec/protocol/openid-connect/certs"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      authority: "http://localhost:8081/auth/realms/data-sec"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      clientId: "{Client ID}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      callbackUrl: "http://localhost:8585/callback"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								```
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-09-12 12:22:40 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								{% partial file="/v1.2/deployment/configure-ingestion.md" /%}