Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Register Paragon Automation with Keycloak


Ensure that you have the following information before registering Paragon Automation as a client with Keycloak:

  • ATOM Keycloak IPv4 address

  • Paragon Automation portal IPv4 address

  • IPv4 address of the ATOM primary node

  • Credentials to log in to the ATOM primary node

Anuta ATOM (hereafter ATOM) uses Keycloak for authenticating users. Therefore, to enable ATOM users to use single sign-on to log in to Paragon Automation GUI, you must register Paragon Automation as a client in Keycloak.

To register Paragon Automation with Keycloak:

What's Next

Add ATOM as an identity provider and as an external EMS in Paragon Automation. For more information, see Add Anuta ATOM as an Identity Provider and Add Anuta ATOM as an External EMS Application.

  1. Log in to the ATOM Keycloak UI as an admin user by entering the following URL in your browser:

  2. If the System realm is not already added in Keycloak, add it.
  3. Add atom and paragon-automation as clients under the System realm.

    For information on how to add realms and clients in Keycloak, refer to the ATOM API documentation.

  4. In the left navigation menu, select System > Clients.

    The Clients page appears.

  5. Click atom.

    The atom page appears.

  6. On the Settings tab, configure the following parameters:
    • Valid Redirect URIs: Enter the following values:

      • https://paragon-automation-portal-ipv4-address/oidc/redirect/callback


        You can also obtain the value for the Valid Redirect Uniform Resource Indicator (URI) from the Authorized Redirect URI field on the Add Identity Providers page (Administration > Authentication > Identity Providers > Add Identity Providers) of the Paragon Automation GUI.

      • https://paragon-automation-portal-ipv4-address

      • https://atom-primary-ipv4-address:32443/*

    • Ensure that the following parameters are turned ON:

      • Enabled

      • Direct Access Grants Enabled

      • Service Accounts Enabled

      • Authorization Enabled

  7. Click Save.
  8. Go back to the Clients page.
  9. Click paragon-automation.

    The paragon-automation page appears.

  10. Configure the following parameters:
    • On the Settings tab, ensure that Enabled is turned ON.

    • On the Credentials tab:

      • For Client Authenticator, select Client Id and Secret.

        The client secret is displayed in the Secret field. Copy this value because you will need it when you add ATOM as an identity provider in Paragon Automation.

      • For Valid Redirect URI, enter the following values:

        • https://paragon-automation-portal-ipv4-address/oidc/redirect/callback

        • https://paragon-automation-portal-ipv4-address

        • https://atom-primary-ipv4-address:32443/*

  11. Click Save to save the paragon-automation configuration in Keycloak.
  12. Log in to the ATOM primary node by using SSH.
  13. Open the oauth2-proxy deployment file present under the atom namespace by executing the following command:

    The file opens in vi editor.

  14. Add the following value to the - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS field:

    If there are values already present in this field, use comma (,) as the separator.

  15. Save the file by using the wq: command.
  16. Exit from the primary node by using the exit command.