How To: Add Keycloak Sign In (Identity Provider) Services to Virtuoso’s Authentication Layer (VAL)

Here are the steps for integrating Keycloak’s Identity Provider Services into VAL i.e., Keycloak’s OpenID Connect Compliant Identity Provider (IdP) functionality as one of the IdP options exposed via VAL.

Conceptually, the process is as follows:

  1. Register your VAL-enabled Virtuoso instance as an Application (the Relying Party) with Keycloak’s Identity Provider Services
  2. Add Keycloak’s Identity Provider to the the collection of IdPs registered with your VAL-enabled Virtuoso instance .

Application (Relying Party) Registration Related Steps

  1. Register an Application with Keycloak (you must have a Keycloak user account)
  2. Register your Application which includes Naming and setting up a Callback/Redirect URL (https://{cname}/val/api/thirdparty_callback)

  1. Generate a Client Shared Secret (Private Key) for your App

At this juncture you have an Application Client ID and its associated Shared Secret in place for authentication against Keycloak user accounts.

VAL Setup Steps

This is achieved via the Conductor or OAuth IdP Admin UI (https:/{your-instance-cname}/oauth/admin.vsp).

  1. Goto the VAL Admin page https://{cname}/oauth/admin.vsp

  1. Click on the Add New Identity Provider button

  2. Fill in the Service Name, Keycloak issuer Hostname ie http://{CNAME}/realms/{realm} , Application OAuth Client ID, OAuth Secret and Save the settings.


  1. Click the Verify button to verify the binding to the created Keyclock IdP service.

  1. Test VAL authentication via the SPARQL endpoint or other services that use VAL for authentication by selecting the now available Keycloak IdP OIDC icon in the VAL Login Dialog, for authentication with the Keycloak user account associated with the client id & secret of the IdP service added.

Related