Skip to content

Signing up with Keycloak

Prerequisites

  • A Keycloak instance.
  • Administrator access to the relevant Realm.

Configure Keycloak

Step 1: Create and Configure Client

Create a new Client under the Realm you want to use. Follow the configuration tabs below:

  1. Set Client type to OpenID Connect.
  2. Choose a ClientID (e.g., xplicittrust) and a Name.
  3. Important: Note down the Client ID for later.

General Settings

  1. Enable Client authentication.
  2. Under Authentication flow, select:
    • Standard flow
    • Service account roles
    • OAuth 2.0 Device Authorization Grant
  3. As PKCE Method, select S256.

Capability Config

  1. Locate the Valid Redirect URIs field.
  2. Copy and paste the following URL: 
    https://api.xplicittrust.com:443/v1.0/auth/callback/oidc

Login Settings

Step 2: Credentials and Roles

  1. Navigate to the Credentials tab and copy the Client Secret. Note the Client Secret. You will need it for the final signup step.
  2. Navigate to the Roles tab and create two new roles:
    • admin (Grants administrative access to the XplicitTrust Admin Portal)
    • user (Allows users to sign in at the XplicitTrust Agent)

Client Roles

  1. Navigate to Service Account Roles:
    • Click Assign Role.
    • Filter by client realm-management.
    • Assign the following roles: query-groups, view-users.

Service Account Roles

Step 3: Configure Scopes and Mappers

Navigate to Client Scopes and click on the XplicitTrust-dedicated scope (usually named <Client-ID>-dedicated).

  1. Click Add mapperBy configuration.
  2. Select Group Membership.
  3. Configure:
    • Name: groups
    • Token Claim Name: groups

Group Mapper

  1. Click Add mapperFrom predefined mappers.
  2. Select client roles.
  3. Edit the new mapper:
    • Client ID: XplicitTrust
    • Token Claim Name: roles
    • Enable Add to ID token.
    • Enable Add to lightweight access token.

Role Mapper

  1. Switch to the Scope tab.
  2. Disable Full scope allowed.
  3. Assign the following roles from realm-management:
    • query-groups
    • view-users

Scope Settings

Step 4: Groups

  1. Navigate to the main Groups page in the sidebar.
  2. Create two groups: XplicitTrust Administrators and XplicitTrust Users.
  3. Edit each group and assign the Client Roles you created earlier (admin or user) to the corresponding group.
  4. Add your actual users to these groups now.

Sign Up

Gather Information

Ensure you have the following three items ready: 1. Client ID (from Step 1) 2. Client Secret (from Step 2) 3. Issuer URL * To find this: Go to Realm SettingsGeneral. Click the link OpenID Endpoint Configuration. Copy the value inside "issuer": "...".

Connect XplicitTrust

  1. Visit the signup page: https://console.xplicittrust.com/#/signup/keycloak

  2. Enter your credentials.

    Sign Up Screen

  3. Click Signup and follow the OpenID Connect login process.

  4. Success! You can now access the portal at https://console.xplicittrust.com/