Configuring Keycloak settings

Last Updated : Jun 10, 2026 |

About this task

Use this procedure to set up a Keycloak administrator account. Avaya Aura® Device Services configures Keycloak automatically. After the configuration process is complete, you can view and update the default configuration using the Keycloak web administration portal.

If you use the Shibboleth identity provider, you can also upload an identity provider entity descriptor file in XML format.

Important:

You can upload an entity descriptor file using the Avaya Aura® Device Services configuration utility for the Shibboleth identity provider only. For other identity providers, you must upload an entity descriptor file using the Keycloak web administration portal. If you do not upload an entity descriptor file to Keycloak, OAuth will not work.

Before you begin

  • Install Avaya Aura® Device Services.

  • Ensure that you gather all information and configured an SSO application on the third-party identity provider. For information about the prerequisites, see Prerequisites for SSO configuration.

  • If you configure the Shibboleth identity provider, obtain the IDPSSODescriptor configuration file in the XML format. You can download the file from https://<shibboleth site address>:<port>/idp/shibboleth.

Procedure

  1. On the seed node, run the Avaya Aura® Device Services configuration utility using the app configure command.
  2. Select Keycloak Configuration.
  3. In the Keycloak Admin and Keycloak Admin user’s password fields, provide a user name and password of your choice for the initial Keycloak administrative account.

    These credentials are used to log in to the Keycloak web administration portal. Your password must comply with the password complexity rules.

  4. Optional If you are configuring the Shibboleth identity provider, do the following to upload the identity provider configuration file:
    1. Upload the identity provider configuration file to the seed node using a file transfer program, such as SFTP or SCP.
    2. In the IDP XML field, enter y.
    3. In the Custom IDP xml file field, select the IPDSSODescriptor configuration file that you uploaded to Avaya Aura® Device Services.

    If you do not provide the Shibboleth configuration file using CLI, you must upload this file later using the Keycloak administration portal.

  5. If you want to configure the mapping between attributes used by the identity provider and attributes used by Keycloak, do the following:
    1. In Last Name attribute, provide the Last Name attribute that is used by the identity provider. For example, sn.
    2. In First Name attribute, provide the First Name attribute that is used by the identity provider. For example, givenName.
    3. In Membership attribute, provide the Membership attribute containing role information that is used by the identity provider. For example, memberOf.
    4. In User Role value, provide the User Role value, which comes from the Membership attribute. It must be a full LDAP distinguished name (DN). For example, cn=users,dc=avaya,dc=com.
    5. In Administrator Role value, provide the Administrator Role value, which comes from the Membership attribute. It must be a full LDAP DN. For example, cn=admins,dc=avaya,dc=com.

    You can configure the mapping later using the Keycloak administration portal.

  6. Select Apply.
  7. After the configuration process is complete, select Continue.

Next Steps

If required, view and configure additional Keycloak settings using the Keycloak web administration portal. For more information, see Logging in to the Keycloak web administration portal in Administering Avaya Aura® Device Services.

Related information
passwdrules command