Keycloak authentication in Semaphore

Starting from version 2.8.90, Semaphore supports authentication via OIDC providers like Keycloak. In this article, we will explore how to setup Ansible Semaphore to authenticate users via Keycloak.

Configuring authentication via OIDC starts with setting up Keycloak itself.

1. Setup a new OpenID Connect client
   1. login to Keycloak as an admin
   2. select your realm, if you need to
   3. Click Clients
   4. Click Create client
   5. Client type should be OpenID Connect
   6. The ID will be used in semaphore config, so make a note of what you set it to
   7. The name can be something more clear as to what this Client is
   8. click Next
   9. Turn on Client authentication
   10. Click Next
   11. set the Root URL to the root of your semaphore install, e.g. https://semaphore.example.com
   12. set Home URL to /
   13. set Valid redirect URIs to use the Root URL and /api/auth/oidc/horwood/redirect
   14. set Web origins to the same as the Root URL
   15. Click Save
2. Next is to add Client scopes
   1. Click on Client scopes in your new Client
   2. Click the top scope, e.g. test-dedicated
   3. Click Add predrfined mapper
   4. tick email and click add
   5. click Add mapper and From predefined mappers
   6. on the second page of mappers, tick username and profile
3. Add config to semaphore
   1. open your semaphore config.json for editing, e.g. vi config.json
   2. add the below config to the end of your file, make sure to add a , to the last item first

   "oidc_providers":{
      "horwood":{
         "display_name":"Sign in with keycloak",
         "provider_url":"https://keycloak.example.com/realms/PVE01",
         "client_id":"<CLIID>",
         "client_secret":"<SECRET>",
         "redirect_url": "https://semaphore.example.com/api/auth/oidc/horwood/redirect"
      }
   }

On the login page you should now see a Sign in with keycloak button, clicking it will follow your normal login with Keycloak flow.