Keycloak Provider :: Domus Digitalis

1. Overview

Keycloak serves as the SAML/OIDC Identity Provider (IdP) for the DomusDigitalis home enterprise network.

2. Why Keycloak?

Reason	Details
Open Source	Free, self-hosted, full control over data
Protocol Support	SAML 2.0, OpenID Connect, OAuth 2.0
Mature	Maintained by Red Hat, battle-tested
Flexible	User federation, group mapping, custom themes
Docker-friendly	Easy deployment as container

Reason

Details

Open Source

Free, self-hosted, full control over data

Protocol Support

SAML 2.0, OpenID Connect, OAuth 2.0

Mature

Maintained by Red Hat, battle-tested

Flexible

User federation, group mapping, custom themes

Docker-friendly

Easy deployment as container

3. Infrastructure

Component	Value
Hostname	keycloak-01.inside.domusdigitalis.dev
Port	8443 (HTTPS only)
OS	Fedora Cloud (KVM VM)
Container	Docker/Podman
Database	PostgreSQL
TLS Certificate	DOMUS PKI (Vault-issued)

Component

Value

Hostname

keycloak-01.inside.domusdigitalis.dev

Port

8443 (HTTPS only)

OS

Fedora Cloud (KVM VM)

Container

Docker/Podman

Database

PostgreSQL

TLS Certificate

DOMUS PKI (Vault-issued)

4. Realm

Single unified realm: domusdigitalis

Setting	Value
Display Name	DomusDigitalis Identity
SSL Required	external
User Registration	Disabled (admin-only)
Brute Force Protection	Enabled

Setting

Value

Display Name

DomusDigitalis Identity

SSL Required

external

User Registration

Disabled (admin-only)

Brute Force Protection

Enabled

5. Clients

5.1. SAML Clients

Client Application

Client	Application
`CiscoISE/<uuid>;`	Cisco ISE Admin Portal

CiscoISE/<uuid>;

Cisco ISE Admin Portal

5.2. OIDC Clients

Client Application

Client	Application
`gitea`	Gitea Git Server
`synology-nas`	Synology NAS
`ipsk-manager`	iPSK Manager

gitea

Gitea Git Server

synology-nas

Synology NAS

ipsk-manager

iPSK Manager

6. Groups

Group	Purpose	Maps to ISE
ise-super-admin	Full ISE admin access	Super Admin
ise-read-only	ISE read-only access	Read Only Admin
ise-helpdesk	ISE helpdesk access	Helpdesk Admin
ise-ers-admin	ISE ERS API only	ERS Admin
gitea-admin	Gitea admin	N/A
gitea-user	Standard Gitea user	N/A

Group

Purpose

Maps to ISE

ise-super-admin

Full ISE admin access

Super Admin

ise-read-only

ISE read-only access

Read Only Admin

ise-helpdesk

ISE helpdesk access

Helpdesk Admin

ise-ers-admin

ISE ERS API only

ERS Admin

gitea-admin

Gitea admin

N/A

gitea-user

Standard Gitea user

N/A

7. Documentation

Deployment Guide - Docker deployment
Realm Management - Realm import/export
SAML Client - ISE configuration
Troubleshooting

8. Quick Commands

# Check Keycloak container
ssh keycloak-01 'sudo docker ps --filter name=keycloak'

# View logs
ssh keycloak-01 'sudo docker logs keycloak --tail 50'

# Restart
ssh keycloak-01 'sudo docker restart keycloak'

# Download SAML metadata
curl -k https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis/protocol/saml/descriptor