Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Register Paragon Automation with Keycloak

Anuta ATOM (hereafter ATOM) uses Keycloak for authenticating users. Therefore, to enable ATOM users to use single sign-on to log in to Paragon Automation GUI, you must register Paragon Automation as a client in Keycloak.

Note:

Ensure that you have the following information before registering Paragon Automation as a client with Keycloak:

  • ATOM Keycloak login credentials.

  • Paragon Automation portal IPv4 address

  • IPv4 address of the ATOM primary node

  • Credentials to log in to the ATOM primary node

To register Paragon Automation with Keycloak:

  1. Log in to the ATOM Keycloak UI as an admin user by entering the following URL in your browser:

    https://atom-primary-ipv4-address:32443/auth

    Note:

    If using ATOM version 11.1 or later, you can either use https://atom-primary-ipv4-address:32443/auth or https://atom-vip:443/auth.

  2. If the System realm is not already added in Keycloak, add it. The System realm is generally pre-created.
  3. Add atom (generally pre-created) and paragon-automation as clients under the System realm.
    Note:

    For information on how to add realms and clients in Keycloak, refer to the ATOM API documentation.

  4. In the left navigation menu, select System > Clients.

    The Clients page appears.

  5. Click the atom client.

    The atom page appears.

  6. On the Settings tab, configure the following parameters:
    • Valid Redirect URIs: Enter the following values:

      • https://paragon-automation-portal-ipv4-address/oidc/redirect/callback

        Note:

        You can also obtain the value for the Valid Redirect Uniform Resource Indicator (URI) from the Authorized Redirect URI field on the Add Identity Providers page (Administration > Authentication > Identity Providers > Add Identity Providers) of the Paragon Automation GUI.

      • https://paragon-automation-portal-ipv4-address

      • https://paragon-automation-portal-ipv4-address/iam/auth/oidc/callback
      • https://atom-vip:443/*

        Note:

        If using ATOM version 11.0 or earlier, use https://atom-primary-ipv4-address:32443/*.

        If using ATOM version 11.1 or later, you can either use https://atom-primary-ipv4-address:32443/* or https://atom-vip:443/*.

    • Ensure that the following parameters are turned ON:

      • Enabled

      • Direct Access Grants Enabled

      • Service Accounts Enabled

      • Authorization Enabled

  7. Click Save.
  8. Go back to the Clients page.
  9. Click the paragon-automation client.

    The paragon-automation page appears.

  10. Configure the following parameters:
    • On the Settings tab, ensure that Enabled is turned ON.

    • On the Credentials tab:

      • For Client Authenticator, select Client Id and Secret.

        The client secret is displayed in the Secret field. Copy this value because you will need it when you add ATOM as an identity provider in Paragon Automation.

      • For Valid Redirect URI, enter the following values:

        • https://paragon-automation-portal-ipv4-address/oidc/redirect/callback

        • https://paragon-automation-portal-ipv4-address

        • https://paragon-automation-portal-ipv4-address/iam/auth/oidc/callback
        • https://atom-vip:443/*

          Note:

          if using ATOM version 11.0 or earlier, use https://atom-primary-ipv4-address:32443/*.

          If using ATOM version 11.1 or later, you can either use https://atom-primary-ipv4-address:32443/* or https://atom-vip:443/*.

  11. Click Save to save the paragon-automation configuration in Keycloak.
  12. Log in to the ATOM primary node by using SSH.
  13. Open the oauth2-proxy deployment file present under the atom namespace by executing the following command:

    The file opens in vi editor.

  14. Add the following value to the - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS field:
    Note:

    if using ATOM version 11.0 or earlier, use https://atom-primary-ipv4-address:32443/auth=paragon-automation.

    If using ATOM version 11.1 or later, you can either use https://atom-primary-ipv4-address:32443/auth=paragon-automation or https://atom-vip:443/auth=paragon-automation.

    Note:

    If values are already present in this field, use comma (,) as the separator.

  15. Save the file by using the :wq command.
  16. Exit from the primary node by using the exit command.

What's Next

Add ATOM as an identity provider and as an external EMS in Paragon Automation. For more information, see Add Anuta ATOM as an Identity Provider and Add Anuta ATOM as an External EMS Application.