Configure Keycloak remote JWKS support
The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm. When building applications and APIs in Cloud-IAM's keycloak deployments, four algorithms are supported for signing JWTs: RS256, RS384, RS512 and HS256. RS256 generates an asymmetric signature, which means that a private key must be used to sign the JWT and a different public key must be used to verify thePopularAPI Authentication
Cloud-IAM API is the best way to automate everything. From deployments lifecycle management to keycloak extension uploads!PopularKeycloak /metrics endpoint
Cloud-IAM REST API /deployments/ deploymentid /metrics endpoint yield functional metrics about your Keycloak in OpenMetrics format textual representation that came from Prometheus textual representation. It yields counters regarding various parts of your Keycloak deployment.PopularTerraform providers
Cloud-IAM Keycloak deployments are compatible with Keycloak terraform providers because deployed Keycloaks expose the full Keycloak REST admin API. However currently Cloud-IAM does not provide a terraform provider to create or delete deployments. Please contact our support if you are interested.Some readersDo Cloud-IAM deployments expose the full Keycloak REST API?
Yes, full Keycloak REST API is available on most of Cloud-IAM subscription plans. To ensure reliability, Cloud-IAM protects Keycloak REST API with rate limits and quotas.Few readersPulumi Keycloak provider
Cloud-IAM Keycloak deployments are compatible with Keycloak pulumi provider because deployed Keycloaks expose the full Keycloak REST admin API. However currently Cloud-IAM does not provide a Pulumi provider to create or delete deployments. Please contact our support if you are interested. Troubleshooting Sometimes when adding a neFew readersRedirection to a specific Keycloak realm
When browsing a Cloud-IAM Keycloak's deployment (e.g. https://DEPLOYEMENTNAME.cloud-iam.com/ ) at the root path / the user is redirected to the admin console of the master realm by default. Cloud-IAM customer's might have on of their requirement: Customize the default / redirect behavior Redirect the user to a specific realm's depending on some requirements Setup a static page instead of redirecting the user to the master realm's admin console These kind of features are out ofFew readersWhat plans have script mappers activated?
The script mapper is depending on the javascript upload profile of Keycloak, which is not activated on Cloud-IAM shared instances (Little Lemur) for security reasons. This feature can be activated on demand on any dedicated plan, starting with Roaring Rabbit whatever the region or the cloud provider targeted.Few readersMetrics are missing for a realm
When creating a new realm in a Keycloak deployment, metrics for this realm are not directly available in Cloud-IAM /metrics REST API endpoint and Cloud-IAM dashboard. In order to let Cloud-IAM know that it musts observe this realm, connect to deployment's Keycloak console, select the realm that must be monitored then go to events then config tab, add metrics-listener in the event listeners section and then don't forget to Save changes. Seconds later, the realm metrics will be availableFew readersKeycloak TLS configuration
For security reasons, most the documented Keycloak TLS configuration you may set through environment variables won't have any real impact on your Cloud-IAM deployment. Cloud-IAM load balancers enforce security standards in order to keep you safe. If you need specific customisations, our support team will always be able to answer you.Few readersSSL / TLS protocols supported
Cloud-IAM only supports TLS protocol v1.2 and v1.3. We don't accept any version of SSL protocol anymore due to previous vulnerabilities.Few readers