Skip to content

iits-consulting/terraform-opentelekomcloud-keycloak-sso-oidc

BranchesTags

Repository files navigation

Configure Keycloak as a single sign on identity provider for OTC. (OIDC)

Usage Example:

  module "otc_keycloak_sso_oidc" {
  source               = "iits-consulting/keycloak_sso_oidc/opentelekomcloud"

  keycloak_realm       = "my_keycloak_realm"
  keycloak_domain_name = "https://auth.mydomain.de"
  otc_idp_name         = "my_project_keycloak_SSO-oidc"
  otc_idp_rules        = jsonencode([
    {
      remote = [
        {
          type = "given_name"
        },
        {
          type = "family_name"
        },
        {
          any_one_of = ["OTC-ADMIN", "SYSTEM-ADMINISTRATOR"],
          type       = "groups"
        }
      ],
      local = [
        {
          user = {
            name = "{0} {1}"
          }
        },
        {
          "group" : {
            "name" : "admin"
          }
        }
      ]
    }
  ])
}

Notes:

  • Module requires a functional keycloak and will use the keycloak provider
  • Module requires admin privileges for keycloak provider in order to create and configure an OIDC client.
  • The rule mapping syntax for OTC is documented here.
  • Variable otc_idp_rules accepts any JSON string for fully customizable rules. For complex rule structures, it is possible to read it from a file:
    module "otc_keycloak_sso_oidc" {
      source               = "iits-consulting/keycloak_sso_oidc/opentelekomcloud"
      keycloak_realm       = "my_keycloak_realm"
      keycloak_domain_name = "https://auth.mydomain.de"
      otc_idp_name         = "my_project_keycloak_SSO"
      otc_idp_rules        = file("./path/to/rules.json")
    }

Requirements

Name Version
terraform >= 1.5.7
curl ~> 1.0
errorcheck 3.0.3
keycloak ~> 5.4
opentelekomcloud ~> 1.32

Providers

Name Version
curl ~> 1.0
errorcheck 3.0.3
keycloak ~> 5.4
opentelekomcloud ~> 1.32

Modules

No modules.

Resources

Name Type
errorcheck_is_valid.cert_endpoint_check resource
keycloak_openid_client.otc resource
keycloak_openid_client_default_scopes.otc_default_scopes resource
opentelekomcloud_identity_provider.provider resource
curl_curl.oidc_keys data source
opentelekomcloud_identity_project_v3.current data source

Inputs

Name Description Type Default Required
keycloak_domain_name The domain name for the keycloak instance. string n/a yes
keycloak_realm Keycloak realm to create SAML client. string n/a yes
otc_idp_name Name of the identity provider resources in Open Telekom Cloud. string n/a yes
otc_idp_rules n/a string n/a yes
keycloak_client_name Keycloak Client name for the Open Telekom Cloud IDP client. (Default: otc-login string "otc-login" no
otc_auth_endpoint Authentication endpoint for Open Telekom Cloud. Default: auth.otc.t-systems.com string "auth.otc.t-systems.com" no

Outputs

Name Description
otc_sso_url n/a

About

No description, website, or topics provided.

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v7.5.0 Latest
Oct 7, 2025
+ 1 release

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages