Manual configuration for Keycloak and Foreman?


We want to setup Keycloak and Foreman without using an admin password on Foreman side. It should be possible to configure everything manually and to have a working client for Keycloak like with any other application.

Is there a way to do it ?

Thank you,

Hey @Trefex
Welcome to the community.

Can you take a look through these docs and see if there is anything missing for what you want to do;: Administering Foreman

I don’t see any requirement on the Foreman side for the admin password.

Hi @mcorr

16.9.2 bullet 2

# keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "" \
--keycloak-admin-username "admin" \
--keycloak-realm "Foreman_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force



Ah so you mean using the Keycloak admin password on the Foreman side. I assumed a Foreman admin password, which I saw no signs of having to do.

From what I can tell, the Keycloak admin password is a prerequisite outlined from the outset. I will see if anyone else can shed some light on this for me.

hi @Trefex I hope I understand correctly what is the issue here and as far as I know the admin user and password are used to authenticate API calls for keycloak when creating Realm/Client on the Keycloak app. There may be a way to use access token instead of password if this is something you need:

**--initial-access-token** *INITIAL_ACCESS_TOKEN*
realm initial access token for client registeration (default: None)

Hope this helps!

1 Like


I am faced with the problem and I do not see a solution unfortunately in the advice that could be given here .

I’m trying to follow as much I can this documentation :

The keycloak (SSO RH) admin has created a client for an existing realm in the company but does not allow me to use/have a admin/password to run the documented command (keycloak-httpd-client-install) . So I’m in the same situation as the author.

So I set everything that was requested into the documentation excepting the registration of the “keycloak object”. That was done by hand by the keycloack adminstration team.

So, I didn’t run the documented command : “keycloak-httpd-client-install”

But I’m not sure if it is modify also the local httd configuration to make httpd able to apply the keycloak authentication process.

The final command :

foreman-installer --foreman-keycloak true --foreman-keycloak-app-name “PRD-PROD-GUI” --foreman-keycloak-realm “Z-GLOBAL”

2022-05-18 18:13:32 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-05-18 18:13:35 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-05-18 18:13:35 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-05-18 18:13:36 [NOTICE] [configure] Starting system configuration.
2022-05-18 18:13:46 [NOTICE] [configure] 250 configuration steps out of 1514 steps complete.
2022-05-18 18:13:47 [NOTICE] [configure] 500 configuration steps out of 1516 steps complete.
2022-05-18 18:13:47 [NOTICE] [configure] 750 configuration steps out of 1524 steps complete.
2022-05-18 18:13:47 [NOTICE] [configure] 1000 configuration steps out of 1528 steps complete.
2022-05-18 18:14:00 [NOTICE] [configure] 1250 configuration steps out of 1528 steps complete.
2022-05-18 18:14:00 [NOTICE] [configure] 1500 configuration steps out of 1534 steps complete.
2022-05-18 18:14:03 [NOTICE] [configure] System configuration has finished.
Executing: foreman-rake upgrade:run
At least one field decryption failed, check ENCRYPTION_KEY

The full log is at /var/log/foreman-installer/foreman.log

The settings tab was also well set into the GUI regarding the external authentication
“Configuring Foreman Settings for Keycloak Authentication Using the Web UI” subchapter

but nothing new related into the login GUI to be able to use the SSO with PIV card…

Any idea or even a feddback from the original author ?

It might not be necessary to have access to the admin realm, if you did not run the keycloak-httpd-client-install to autogenerate and connect to keycloak could you please provide the configuration file for keycloak from httpd.conf and maybe a printscreen on how the client is defined in the Keycloak realm, especially the configs in Keys tab.

Also please make sure that the Credentials from Keycloak config of client (like secret) is configured properly on httpd conf

1 Like