In your new client, go to the Credentials tab and copy the Secret, which will have been auto-generated.
Now configure step-ca to accept your client:
$step ca provisioner add keycloak --type OIDC \ --client-id step-ca --client-secret 91e078a4-2c29-4dc8-81e9-c03cd36db632 \
--configuration-endpoint https://keycloak.internal:8443/auth/realms/myRealm/.well-known/openid-configuration \
Success! Your `step-ca` config has been updated. To pick up the new configuration SIGHUP (kill -1 <pid>) or restart the step-ca process.
Replace keycloak.internal with your KEYCLOAK_HOSTNAME in the configuration-endpoint,
replace client-secret with the secret you just copied from Keycloak.
Finally, it's time to sign in via Keycloak.
Create a User in Keycloak that you'll use to test your integration.
Your user will need to have a username, email, and password.
(You can set the user's password under the Credentials tab after you create it.)
Now start (or restart) your step-ca instance and run the following:
$stepssh login email@example.com
Use the same email address as you used for your Keycloak user.
If all goes well, you will be sent to the browser to sign in,
and an SSH certificate will be issued and added to your SSH agent,
with your username and email address as principals.
Our tutorial DIY Single Sign-On for SSH puts this tutorial into a larger context,
detailing how to set up an SSH CA for your users and hosts.
OIDC token issues
If step-ca raises an OIDC token validation error, you can examine the token you receive from Keycloak using the step oauth command. For example:
The email field in the token is empty; step-ca requires email to be populated.
The email address used with step ssh login doesn't match the email address of the Keycloak user.
There is a domains list in the OIDC provisioner configuration, and the email domain in the token isn't listed in domains.
Keycloak TLS certificate issues
There is a known issue in Keycloak
where the TLS certificate and key files are never reloaded by the Docker container after they are renewed,
even if you restart the container.
For now, you'll have to delete the Keycloak container and recreate it once you've renewed your certificate.