Removing SSO Authentication from DAI
This page describes how to remove single sign-on (SSO) authentication from your DAI installation. This process reverts DAI to a standalone system that uses its embedded identity and access management provider, Keycloak, for user authentication.
The process for removing single sign-on (SSO) authentication from DAI/Keycloak is to run the same identity_provider procedure (Windows command-line process) we used to set it up. For information about the setup process, see Enabling SSO in DAI with Entra ID and SAML v2 or Enabling SSO in DAI with Entra ID and OIDC.
This process does not remove anything from your identity provider (Entra ID). If you want to permanently remove SSO, you may also want to remove the corresponding configuration from your identity provider.
Prerequisites
| Requirement | Description |
|---|---|
| Identity Provider Alias | You need the alias of the iIdentity Provider in Keycloak. You can find this in the Keycloak Admin Console by viewing the details of the Identity Provider that you created and copying the value in the alias field. |
Re-Configuring Keycloak as the DAI Access and Identity Manager
If you are using Eggplant Cloud, contact our Customer Support for help obtaining the input data outlined above.
To disable SSO on Keycloak, we run a migration procedure named identity_provider.
This procedure will:
- Remove the
Identity Providerfrom the Keycloak realm. - Amend the login flow to allow local accounts to login.
- Configure the
Themesfor theRealmto use standardeggplantrealms instead of theeggplant_readonlyones used by SSO enabled realms.
Step by Step: Running the Script to Re-configure Keycloak
The following steps describe how to reconfigure DAI to use Keycloak as its identity and access manager for authentication.
Step 1 - Set environment variables
Modify the script to set the environment variables with the appropriate values for your Keycloak installation.
set KC_ADMIN_USER=<keycloak_admin_user>
set KC_ADMIN_PASSWORD=<keycloak_admin_pwd>
set KEYCLOAK_URL=https://<dai_address>/auth/
set USE_LEGACY_INSTALLER=true
Replace the variable values enclosed in <...> in the script above with the values for your DAI installation as follows:
| Environment Variables | Values |
|---|---|
<keycloak_admin_user> | The username of the Keycloak system administrator you configured when you installed DAI. This is also known as the Keycloak username. |
<keycloak_admin_pwd> | The password of the Keycloak system administrator you configured when you installed DAI. |
<dai_address> | The hostname : port of the DAI server, e.g. example.com:8080. |
It is not secure to configure passwords on the command line in this way. We recommend you initialize sensitive environment variables using your organization’s preferred secrets manager instead.
Step 2 - Running the Script
The following instructions assume you installed DAI into the default location (C:\Program Files\Digital Automation Intelligence). If you installed DAI in a different location, please replace the default path in the script below with the location of your DAI installation.
The script below is written for the Windows command shell (cmd.exe). To run it from Powershell, you need to replace the caret (^) characters with backtick (\) characters.
"C:\Program Files\Digital Automation Intelligence\python\tools\python.exe" ^
-m eggplant.iam.realm_mgmt ^
--init-file "C:\ProgramData\Eggplant\Digital Automation Intelligence\logs\keycloak\keycloak_migration_config" ^
run ^
--procedure identity_provider ^
--realm <realm> ^
--vars IDP_ALIAS=<idp_alias> ^
--vars ENABLE_SSO=false
Replace the variable values enclosed in <...> in the script above with the values for your DAI installation as follows:
| Environment Variables | Values |
|---|---|
<realm> | Typically eggplant |
<idp_alias> | The alias name for this provider. This is the alias that was used to configure your identity provider when SSO was enabled for your installation. You can find this in the Keycloak Admin Console by viewing the details of the Identity Provider that you created and copying the value in the alias field. |
When it runs, the procedure logs messages in JSON format.
- If the procedure fails, you will see an ERROR, typically with one or more stack traces.
- If it succeeds, the last log entries will indicate the procedure completed successfully.
If you encounter any errors, please review the message and any resulting stack traces. If you have any questions, please contact our Customer Support.
After the procedure runs successfully, SSO will be removed and Keycloak will be managing authentication for your DAI installation.