I’ve been following the directions at https://osc.github.io/ood-documentation/master/authentication/tutorial-oidc-keycloak-rhel7.html and have an OnDemand server and Keycloak server with Keycloak configured with a User Federation LDAP provider that is our IDM system. I’ve confirmed data transfer between the OnDemand and Keycloak servers and between the Keycloak and IDM servers, but authentication (on OnDemand server with IDM identity) isn’t working. (Keycloak correctly retrieves names, email, etc. from IDM.) The error I’m seeing (invalid_user_credentials) seems to mean invalid password because for a username that doesn’t exist, a different error is obtained.
Differences that I have from tutorial:
- Tutorial is for keycloak-3.1.0 and I’m using keycloak-4.2.1.
- As a consequence, the Keycloak admin interface is a little different and all settings from steps 2.3 and 2.4 were set for the client as there’s no longer a separate entity of ‘client template’.
- I only completed steps 1-3, not 4 (add custom theme).
(All servers are RHEL 7.5. OnDemand is version 1.3.7.)
Are there any tests I can do to isolate this issue? Is there any specialized config needed for IDM that is different from other identity providers? Might using a newer version of keycloak be better?