Keycloak Realm Management
2. Realm Structure
| Setting | Value |
|---|---|
Realm Name |
domusdigitalis |
Display Name |
DomusDigitalis Identity |
SSL Required |
external |
Registration |
Disabled (admin-only) |
Brute Force Protection |
Enabled |
3. Groups
| Group | Purpose | ISE Admin Group |
|---|---|---|
ise-super-admin |
Full ISE administrative access |
Super Admin |
ise-read-only |
ISE read-only access |
Read Only Admin |
ise-helpdesk |
ISE helpdesk/support access |
Helpdesk Admin |
ise-ers-admin |
ISE ERS API access only |
ERS Admin |
nas-admin |
Synology NAS administrative access |
Super Admin |
gitea-admin |
Gitea administrative access |
N/A |
gitea-user |
Standard Gitea user access |
N/A |
4. Import Realm via REST API
|
Do NOT use |
4.2. Step 2: Copy into Container
ssh keycloak-01 'sudo docker cp /tmp/ise-realm.json keycloak:/tmp/ise-realm.json'4.3. Step 3: Import via REST API
ssh keycloak-01 'TOKEN=$(curl -ks https://localhost:8443/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=<ADMIN_PASSWORD>" \
-d "grant_type=password" | grep -o "\"access_token\":\"[^\"]*" | cut -d\" -f4) && \
curl -ks -X POST https://localhost:8443/admin/realms \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @/tmp/ise-realm.json \
-w "\nHTTP Code: %{http_code}\n"'HTTP Code: 2014.4. Verify Import
ssh keycloak-01 'TOKEN=$(curl -ks https://localhost:8443/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=<ADMIN_PASSWORD>" \
-d "grant_type=password" | grep -o "\"access_token\":\"[^\"]*" | cut -d\" -f4) && \
curl -ks https://localhost:8443/admin/realms \
-H "Authorization: Bearer $TOKEN" | grep -o "\"realm\":\"[^\"]*\""'"realm":"domusdigitalis"
"realm":"master"5. Export Realm
ssh keycloak-01 'TOKEN=$(curl -ks https://localhost:8443/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=<ADMIN_PASSWORD>" \
-d "grant_type=password" | jq -r .access_token) && \
curl -ks https://localhost:8443/admin/realms/domusdigitalis \
-H "Authorization: Bearer $TOKEN" > /tmp/realm-export.json'6. Update Existing Realm
|
This overwrites realm configuration. User data is preserved, but client configurations will be reset. |
ssh keycloak-01 'TOKEN=$(curl -ks https://localhost:8443/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=<ADMIN_PASSWORD>" \
-d "grant_type=password" | grep -o "\"access_token\":\"[^\"]*" | cut -d\" -f4) && \
curl -ks -X PUT https://localhost:8443/admin/realms/domusdigitalis \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @/tmp/ise-realm.json \
-w "\nHTTP Code: %{http_code}\n"'7. Delete Realm
ssh keycloak-01 'TOKEN=$(curl -ks https://localhost:8443/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=<ADMIN_PASSWORD>" \
-d "grant_type=password" | grep -o "\"access_token\":\"[^\"]*" | cut -d\" -f4) && \
curl -ks -X DELETE https://localhost:8443/admin/realms/domusdigitalis \
-H "Authorization: Bearer $TOKEN" \
-w "\nHTTP Code: %{http_code}\n"'HTTP Code: 2048. Post-Import Tasks
After importing the realm:
-
Change user passwords - Default users have
temporary: true -
Generate OIDC client secrets - For Gitea, NAS, iPSK Manager
-
Download SAML metadata - For ISE configuration
-
Configure ISE SAML IdP - See ISE Admin Portal SSO