Installing the Identity Manager

This guide is for developers and integrators.

Some of this documentation is intentionally vague to not reveal production deployment information. If you wish to deploy your own Signata Identity Provider, contact support for assistance.

The links on this page to DigitalOcean are referral links - you can help support the Signata project by using those links to sign up and try DigitalOcean!

Compiling Keycloak

The Signata IdP is not a standard version of keycloak. It is the containerized version of keycloak with a custom Signata authentication provider injected during build.

If you're compiling for the Signata production instance, you can leave the build script as-is. If you're compiling for a different instance (like your own fork), then you will need to modify the build PowerShell scripts to tag the container with the name you wish to use.

cd keycloak-signata-extension/scripts/

If you're using a DigitalOcean docker registry, you will need to log into it first using an API key generated from the DO interface:

doctl auth init
doctl registry login

You can alternatively use docker hub to host the container image, but instructions for that won't be provided here.

Deploying Keycloak


Create a new Database Cluster on DigitalOcean. Select your desired datacenter region, and select PostgreSQL v14.

Once provisioned, add a new database called keycloak.

Add a new user also called keycloak.

Once you've deployed the DigitalOcean App in later steps, edit the database to add it as a Trusted Source to limit network traffic to only the keycloak app.

Container Registry

Create a container registry to host the built docker images for the keycloak app.

In the keycloak-signata-extension repository, use PowerShell to run scripts/build_production.ps1. This will compile the container, and push the image to your registry.

DigitalOcean App

Create a new DigitalOcean App, using your container registry and the keycloak image you wish to deploy.

Set the following environment variables on the component:

Make sure HTTP Port in the App configuration is set to 8080. This should be sufficient to build and host the container. Don't set the port in the environment variables as that seems to prevent the admin portal from functioning correctly.

The keycloak instance will just listen on HTTP. As DO performs the traffic proxying, it will handle all TLS configuration for the public endpoint.

If your deployment fails and you're getting SQL errors, make sure the public URL for your database is correct as well as the port. DO postgres doesn't use the standard 5432 port.

Keycloak Configuration

Create Realm

Click Add Realm.

Set the name to Signata and click Create.

Configure Authentication

Click Authentication in the left menu.

In Flows, click New.

Set the Alias to Signata and click Save.

Click Add execution.

Select Signata Signature and click Save.

Set the Signata Signature to REQUIRED. Under Actions click Config.

Set the Alias to Signata, the Infura Id and Node URLs to the keys provided by Infura. Set the Timeout to 120. Click Save.

Create Client

Click on Clients in the left menu.

Last updated