Installing the Identity Manager
Last updated
Last updated
This guide is for developers and integrators.
Some of this documentation is intentionally vague to not reveal production deployment information. If you wish to deploy your own Signata Identity Provider, contact support for assistance.
The links on this page to DigitalOcean are referral links - you can help support the Signata project by using those links to sign up and try DigitalOcean!
The Signata IdP is not a standard version of keycloak. It is the containerized version of keycloak with a custom Signata authentication provider injected during build.
If you're compiling for the Signata production instance, you can leave the build script as-is. If you're compiling for a different instance (like your own fork), then you will need to modify the build PowerShell scripts to tag the container with the name you wish to use.
If you're using a DigitalOcean docker registry, you will need to log into it first using an API key generated from the DO interface:
You can alternatively use docker hub to host the container image, but instructions for that won't be provided here.
Create a new Database Cluster on DigitalOcean. Select your desired datacenter region, and select PostgreSQL v14.
Once provisioned, add a new database called keycloak.
Add a new user also called keycloak.
Once you've deployed the DigitalOcean App in later steps, edit the database to add it as a Trusted Source to limit network traffic to only the keycloak app.
Create a container registry to host the built docker images for the keycloak app.
In the keycloak-signata-extension repository, use PowerShell to run scripts/build_production.ps1. This will compile the container, and push the image to your registry.
Create a new DigitalOcean App, using your container registry and the keycloak image you wish to deploy.
Set the following environment variables on the component:
KC_DB_URL
jdbc:postgresql://{public_url}:{port}/keycloak
Obtain {public_url} and {port} from your managed database configuration
KC_DB_USERNAME
keycloak
KC_DB_PASSWORD
{password}
Get the password from your managed database configuration
KEYCLOAK_ADMIN
{username}
Set {username} to a username you want to use
KEYCLOAK_ADMIN_PASSWORD
{password}
Set {password} to a strong password
KC_PROXY
edge
KC_HTTP_ENABLED
true
KC_HOSTNAME
{url}
Set {url} to the public URL that your instance will be hosted at
KC_HOSTNAME_STRICT_BACKCHANNEL
true
KC_HOSTNAME_STRICT
true
Make sure HTTP Port in the App configuration is set to 8080. This should be sufficient to build and host the container. Don't set the port in the environment variables as that seems to prevent the admin portal from functioning correctly.
The keycloak instance will just listen on HTTP. As DO performs the traffic proxying, it will handle all TLS configuration for the public endpoint.
If your deployment fails and you're getting SQL errors, make sure the public URL for your database is correct as well as the port. DO postgres doesn't use the standard 5432 port.
Click Add Realm.
Set the name to Signata and click Create.
Click Authentication in the left menu.
In Flows, click New.
Set the Alias to Signata and click Save.
Click Add execution.
Select Signata Signature and click Save.
Set the Signata Signature to REQUIRED. Under Actions click Config.
Set the Alias to Signata, the Infura Id and Node URLs to the keys provided by Infura. Set the Timeout to 120. Click Save.
Click on Clients in the left menu.