Skip to Content
Skip Breadcrumb

Some OpenShift environments require a single sign on ( SSO ) solution with some existing authentication backends like Active Directory and SAML .

Red Hat offers for this a ready to use image which is documented here , you should also take a look in to documentation of RH SSO .

You will need to setup keycloak, which is the product behind the Red Hat SSO.
Please take a loot at RedHat SSO setup for a detail documentation.

Update: There is also now a document to setup Red Hat Single Sign-On for OpenShift

Normally you will go to the keycloak admin GUI and use the interactive setup, which is perfectly okay as long as your setup is only for one environment and only once.

❗ | In case you want to setup the SSO for several environments and several times you want a more reproducible process then the Mouse & Remind process .

I will describe here some commands which you can use to create your own automation scripts and processes.

First of all you will find in the internet the command kcadm to admin keycloak. This is a very handy and useful tool so let us use it for the next steps.

Please download the Standalone server distribution from the keycloak home and extract it.

You should now have in the bin directory the kcadm files as shown in the screenshot.


To be able to run this script you will need a java runtime on the executing machine.

❗ | Please give you some time to create the right command lines and json files for YOUR Setup.

Now you can login into your RedHat SSO (Keycloak)

# kcadm.bat config credentials \
    --server https://secure-sso<your-domain>/auth \
    --realm master \
    --user your-SSO_ADMIN_USERNAME \
    --password your-SSO_ADMIN_PASSWORD

To see more options of the command config credentials just use –help .

Now you can use kcadm with the following commands

Please give you some time to create the right command lines and json files for YOUR .

The commands shown in this blog are created with the browser network tools and the Keycloak API document.

Please take a look into the Support page to find the right Documentation version for your setup.

To create a new realm execute this

and now add the openshift client into the realm.

The important part is the secret.

This secret will be configured into the openshift master config as described in the Chapter OpenID Connect .

the client.json looks like this

Now we need to add the user-federation with Active Directory.

# kcadm create user-federation/instances \
    -f user-federation-YOUR-AD.json \
    -r MY-REALM \

The user-federation json looks like this

The Keycloak is now configured to ask for the user authentication the AD.

Now you need to configure openshift to offer this authentication method to the user. The preferred  way is to Configuring Identity Providers with Ansible to be on the safe site. Openshift can use more then one identity provider, due to this fact you can use a fail-safe htpasswd file for some dedicated administrators.

This is a example line which you can use in your ansible inventory file.

I hope you have tested via curl that the master(s) can reach the URL https://secure-sso<your-domain>/ .

You can run now the ansible playbook which you have used for your setup and hope that you see the new authentication method 😏 .


  • Update: 25.04.2017 - add Client.json
  • Update: 10.08.2018 - Update RH SSO Link to 7.2
  • Update: 10.08.2018 - Add link to RH SSO OpenShift document

You can contact me for any further questions and orders