Use Keycloak to configure a plugin that enables RSA token authentication.
Access to the Keycloak UI is needed.
Verify the Shasta domain is being used.
This is indicated in the dropdown in the upper left of the UI.
Click on Authentication
under the Configure
header of the navigation area on the left side of the page.
Click on the Flows
tab.
Click the dropdown button in the table header and switch to Browser
.
Click the Copy
button in the table header.
Enter RSA - Browser
for the New Name
type.
Click the Add execution
button in the table header.
Switch the Provider
to RSA
and click Save
.
Update the Requirement
field.
Set the table values to the following:
Field | Requirement |
---|---|
RSA - Browser Forms |
REQUIRED |
Username Password Form |
REQUIRED |
RSA - Browser - Conditional OTP |
CONDITIONAL |
Condition - User Configured |
DISABLED |
OTP Form |
DISABLED |
RSA |
REQUIRED |
Click the Actions
dropdown on the RSA
line of the table, then select Config
.
Enter the different configuration options:
Configuration Field | Value |
---|---|
Alias |
Enter the desired alias. For example, RSA could be used. |
RSA URL |
The base URL of the RSA API service. For example, https://rsa.mycompany.com:5555/ |
RSA Verify Endpoint |
/mfa/v1_1/authn/initialize |
Keycloak Client ID |
The authentication agent. For example, rsa.mycompany.com . The value is from Access > Authentication Agents > Manage Existing in the RSA Console . |
RSA Authentication Manager Client Key |
The key for the RSA API. |
Set the Shared username
if applicable.
If the usernames are the same in Keycloak and RSA, then this can be set to ON
. This means that the browser flow will not ask for the username for the RSA validation.
Click Save
.
Return to the Flows
tab on the Authentication
page.
Click the dropdown button in the table header and switch to Direct Grant
.
Click the Copy
button in the table header.
Enter RSA - CLI
for the New Name
type.
Click the Add execution
button in the table header.
Switch the Provider
to RSA - CLI
and click Save
.
Update the Requirement
field.
Set the table values to the following:
Field | Requirement |
---|---|
RSA - CLI |
REQUIRED |
RSA - CLI Direct Grant - Conditional OTP |
DISABLED |
Click Save
.
Switch to the Bindings
tab in the Authentication
page.
Change Browser Flow
to RSA - Browser
.
Change Direct Grant Flow
to RSA - CLI
.
Click Save
.
After this is set up, verify that it is working:
Point a browser at the following URL: http://auth.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/account
The browser will be directed to the user login page. The first screen will ask for the username and password in Keycloak. After logging in this way, the next page will ask for the RSA username and token code.
Get a token using the direct grant flow.
Replace USER
with a user in Keycloak, PWD_NAME
with the user’s password, RSA_USER
with the user in RSA, and TOKEN_CODE
with the token code:
ncn-mw# curl -i -d grant_type=password -d client_id=shasta -d username=USER \
-d password=PWD_NAME -d rsa_username=RSA_USER -d rsa_otp=TOKEN_CODE \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token