How to configure mTLS
mTLS is a robust way of authenticated the client.
In order to configure the mTLS for client authentication, you need to upload the Certificate Authority used to issue the client certificate. This certificate chain will be used to validate client certificate compliance.
This will automatically enable the mTLS at the load balancer level and the client certificate, if valid, will be transmitted to Keycloak.
At this point, most of the job has already been handled by Cloud-IAM. Now you need to configure a new Authentication flow based on the browser flow for instance.

Then, simply add a new step of type X509/Validate Username Form
.

Finally, select the field to extract from the certificate to authenticate the user. The most convenient field is usually the Subject's email.
Then select against which value / attribute of the Keycloak users to check the value from the certificate. This is used to define a proper mapping between the client certificate information and the actual Keycloak user.

Once setup, we advise you to test this new authentication flow at the level of one client (the account-console for instance).
When you will access the login page, if you have multiple possible certificate or if the CA cannot be identified, you might be asked by the browser to select which certificate to send.

Then, Keycloak ask tor confirmation that you want to be authenticated as the user defined in the certificate.

TIP
To ensure the mTLS is properly enabled, you can run the following command that will return the client certificate authority expected by the server
echo "" |\
openssl s_client -connect $NAME.cloud-iam.com:443 -state 2>/dev/null |\
grep -A 1 "Acceptable client certificate CA names"
Manage mTLS through Cloud-IAM console
WARNING
This feature are in active development, please contact us at support[at]cloud-iam.com.
Cloud-IAM API
The API helps you to manipulate the resources. Resources can be added, updated and deleted.
$ DEPLOYMENT_ID=df47bd9a-f416-4bd1-a2a9-6fc17b41c004
$ TOKEN=$( get-token )
$ curl -X POST -F content=@/tmp/mTLS.pem -H "Authorization: Bearer $TOKEN" \
https://api.cloud-iam.com/deployments/${DEPLOYMENT_ID}/third-parties/mTLS/