Help:VAL and keycloak(RedHat SSO) integration configuration example needed

Dose anybody have experience to deploy protected SPARQL endpoint using Keycloak as third party IdP?

I’ve read article,

But I failed redirect_url settings. Dose anyone know the description about these settings?

Did you follow the steps in that blog post, i.e., have you installed the VAL VAD package?

I assume you want to authenticate identities using Keycloak as the OpenID Connect (OIDC)-compliant Identity Provider (IdP)?

Thank you for your reply.

I’ve installed val.vad package without errors and I believe that I followed the instruction in your article. I can see the my own OIDC button on “protected sparql query service” dialog. then I push it. I redirect to my Keycloak server’s SSO authentication dialog. but unfortunately, got the error at this point. The virtuoso add the URL string redirect_uri=http%3A%2F%2Flocalhost%3A10095%2Fval%2Fapi%2Fthirdparty_callback.
but Keycloak server said this redirect_uri is invalid parameter.

I suppose I have to customize the authenticate.vsp to correct redirect_uri. but I don’t know the way how to customize authenticate.vsp.

Is this assumption correct? and please let me know the how to customize redirect_url in authenticate.vsp.

Thanks in advance.

Where in Keycloak are you setting the redirect_uri parameter? Is there any clear documentation on how this is done ?

Is your Virtuoso server really running on port 10095, and have you also configured the Virtuoso instance to listen on a secure https port and configured the VAL endpoint to map to it?

As @kidehen asked previously, are you seeking to authenticate identities via Virtuoso VAL authentication using Keycloak as the OpenID Connect-compliant Identity Provider (IdP)? Or are you to do the reverse, i.e., authenticate Virtuoso users via Keycloak using Virtuoso as the OpenID Connect-compliant Identity Provider (IdP), as I see examples for MySQL, etc?

I’m sorry for replying so late.

I somehow made my keycloak server and virtuoso 8.3 on my GKE experimental environment. I intend to use keycloak as OpenID Connect compliant IdP, and I want to use Virtuoso as Relying Party (RP). The “invalid redirect_url problem” was occurred from my miss-configuration on keycloak. I added VAL’s callback URL on keycloak’s valid redirect URLs setting dialog. invalid parameter redirect uri problem is fixed.

But another error occurred. I was successfully authenticated from my IdP (Keycloak), and callback to virtuoso, the VAL protected dialog displayed following message.

Failed to fetch service ID from service “XXX”

Considering from VAL documentation and VAL codes, I suppose VAL automatically construct serviceID (based on personalURI?) for custom IdP service that compatible to OpenID connect/OAuth2.0.

Are there any other settings needed for using custom Idp like Keycloak with VAL/Virtuoso?

I look into VAL procedures thirdparty_callback and oauth_id_token. From those procedures, I suppose VAL constructs a content of serviceid from following scopes, openid, email, profile, webid on custom service like keycloak. Is my understanding right?

I looked into procedure get_authentication_details_for_connections, I found comments as follows.

-- Afterwards the 3rd-party service ID or WebID is mapped to an existing SQL user account by the following means:
-- - ODS online account mapping (if ODS is installed)
-- - SPARQL ACL rules mapping service ids to SQL users

Is it necessary installing the ODS package to enable VAL authentication mechanism ? or
Is it necessary to do some additional settings ?

I tried to install ODS framework package into Virtuoso 8.3 Server using conductor interface,
but I failed to install ODS framework package. I got a error.

To enable serviceid from my keycloak server. I have to register several acl rules on my virtuoso server, I suppose.
In the VAL Quick Start Guide, there are some examples how to write acl. but I can’t understand how to write “acl:agent” definition for 3rd party IdP like my keycloak server. Is it possible for someone to let me know how to write these ACLs for 3rd party IdP?

ODS is not mandatory, but is recommended, for use of VAL.

You did not indicate which ODS Framework VAD package you tried to install – i.e., from where you downloaded it. Note that VAD packages are version specific, so you have to get the right version for your Virtuoso binary – e.g., for your Virtuoso 8.3, from here –

If that’s the VAD you tried to install, we cannot help you troubleshoot the installation without the complete error you received!

Thank you for your response.
I downloaded from vad packages from

ODS framework: 2.2.1_git603/ 2019-05-12
VAL: 2.2.2_git226/ 2019-07-29

Virtuoso: 08.03.3314 Build Jul30 2019( from docker hub)

I reinstalled those packages from the beginning, I successfully install ODS Framework and VAL packages. I’m sorry to bother you.
But I still have same error "Failed to fetch service ID from service ".
I suppose I need additional setting to work with 3rd party IdP(Keycloak)
Would you like to give me some comment?

Thanks in advance.

I fixed this problem by myself. I’m sorry to bother you.
I somehow log into my virtuoso sparql endpoint using my keycloak(IdP) without errors.
I have another question. I suppose VAL require the scope “profile” mandatory. Does VAL use the content of “profile” as a identifier for the account ? Is it possible to use the content of profile as the operand of “acl:agent” in VAL ACL definition?

Thanks in advance,

If possible, I would like to ask one more question.
When thirdparty_callback was called. Virtuoso specifies following scope parameters.


When I want to use OIDC1.0 authentication mechanism with virtuoso, Is the “webid” necessary in VAL client implementation ?