Configure Autoform DM SSO

After you have configured Keycloak, you can configure Autoform DM to use it to broker SSO-based logins.

Note

You will need the client ID and client secret that you created for Autoform DM (when you created a Client configuration item in Keycloak).

Note

The information on this page applies only to self-hosted Cloud and on-premises Autoform DM systems.

To configure Autoform DM to use Keycloak for SSO, follow these steps:

1. Stop Autoform DM.

2. Add the Keycloak adapter to Autoform DM and configure it:

   1. Unpack the adapter ZIP (that you downloaded before you installed Keycloak) to the root of the Wildfly folder in the Autoform DM directory: C:\Program Files\Formpipe Software\Autoform DM\Server_<major version>.<minor version>) - <node name>\wildfly-<wildfly version number>.Final\

      • Appropriately substitute <major version>, <minor version>, <node name>, and <wildfly version number>.

   2. Use the JBoss CLI to configure the adapter. To do this, start a command prompt, navigate to the bin directory of the Wildfly folder, then run the following command. If the configuration succeeds, you will see a series of outcome => success messages.

      • Windows:

        jboss-cli.bat
        --file=adapter-elytron-install-offline.cli
        --properties=..\standalone\configuration\node.properties

        

      • Linux:

        jboss-cli.sh
        --file=adapter-elytron-install-offline.cli
        --properties=..\standalone\configuration\node.properties

3. Enable SSO mode for Autoform DM. To do this, start a command prompt, navigate to the bin directory of the Wildfly folder, make the following substitutions and modifications to the following command, then run the command.

   • Substitute <client-id> and <client-secret> for the client ID and client secret you created in Keycloak for Autoform DM.

   • Change the value supplied for -Dauth.url to the URL of the Keycloak instance.

   • The -Dauth.realm parameter is optional. If you do not supply it, the default realm name (formpipe-dm-realm) is used. Include and appropriately set the -Dauth.realm parameter only if the realm name has been changed from the default or is different for another reason (for example, if it is a pre-existing realm).

     jboss-cli.bat
     --file=enable-external-identity-management.script
     --properties=..\standalone\configuration\node.properties
     -Dclient.id=<client-id>
     -Dclient.secret=<client-secret>
     -Dauth.url=https://url.to.keycloak:9443
     -Dauth.realm=formpipe-dm-realm

     Important

     Autoform DM must be stopped when you run this command.

4. Start Autoform DM.

After you complete the process above:

• Autoform DM should be running.

• Navigating to Autoform DM in a web browser should redirect you to the configured IdP to authenticate.

• After you are authenticated, you should be redirected back to Autoform DM.

At this point, you may or may not have access to Autoform DM, depending on whether IdP groups have been mapped correctly and whether Autoform DM roles have been assigned to groups.

If you do not have access to Autoform DM when you believe that you should, check whether you have correctly followed the instructions for each of the Autoform DM SSO installation and configuration tasks.

After you have successfully enabled users to access Autoform DM via SSO, you will need to alter how external applications and services (such as Lasernet, other Formpipe applications, and third-party applications) authenticate with Autoform DM in order to use its REST API. For more information, see Integrate Applications and Services (Lasernet, Other Formpipe Applications, and Third-Party Applications) with Autoform DM.