How to configure webMethods Integration Server with Keycloak


Identity and Access Management applications are becoming increasingly common in the corporate landscape, and are used to provide a set of processes, policies, and tools for defining and managing the roles and access privileges of users within an organization. IAMs typically act as a layer between Identity Providers (or IdPs, such as LDAP, Active Directory, etc.) and the target applications themselves, support user federation, and can define which service scopes a particular user is authorized to use.

Keycloak is a popular IAM solution, and this is a simple tutorial highlighting the basic components and configurations to get it running with Integration Server. This tutorial focuses on using OAUTH2 and the Client Credentials grant type in order to execute a rest service residing on IS.


  • Must have docker installed (e.g. Linux docker client or Rancher Desktop for Windows)
  • Must have a REST testing tool (e.g. Postman, SoapUI, etc)
  • Must have IS installed and running (normal install, IS Docker container or Service Designer are all valid)
  • Must have basic Integration Server Administration knowledge (able to install packages, access the IS Admin GUI, etc)

Keycloak Configuration

“Install” Keycloak

Run Keycloak as a docker image:

Open Keycloak GUI:

Via a browser open: http://localhost:8080/admin

… and login with the admin user/password created above.

Click the arrow next to the master realm and create a new realm named “MyRealm”


Leave all fields default, and only add “MyRealm” to the Realm Name field. After creation, select the realm drop list once more and choose the “MyRealm” realm.

Configure the Realm

Add Scope to Call IS Services

Choose “Client Scopes” from the nav bar, and create a new scope named “ISServiceScope”.


Add IS Clients

Choose “Clients” from the nav bar, and create two new Clients named “ISServer” and “ISSvcConsumer”. Populate using the same values (below), with the exception of different descriptions.





For the “ISSvcConsumer” client, choose the Client Scopes tab and add the client scope created above as default:


NOTE: We will need various Keycloak URLs for the subsequent configuration. These values can be determined by opening the “OpenID Endpoint Configuration” link under the “Realm Settings” in the side nav bar.

Integration Server Configuration

IS Test Package

This tutorial uses a simple test package with a single service. The service will be executed via rest/post and accepts a firstName and lastName argument. The package looks like this:


Download the package: (10.1 KB)

Install and enable the package. (Copy package to replicate/inbound and install via the IS GUI)

Define the IS OAuth Scope

Open the Integration Server GUI.

Under “Administration > OAuth > Scope management” add a scope with the same name as the scope defined in Keycloak. The folder name defined matches the top-level folder name of our test package (but naturally this can be more granular in real-world use cases).


Set the External Authentication Server

Under “Administration > OAuth > Add external authorization server” add the Keycloak config.

Name: Keycloak

Introspection Endpoint: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token/introspect

Client Id: ISServer

Client Secret: <copied from Keycloak ISServer client “Credentials” tab>

User: Administrator



Under “Administration > OAuth > Edit OAuth global settings” set the Authorization server to the Keycloak auth server we just configured:


Test Integration via Postman

Create a new Postman collection and request.

In this example, the following values will be used:

Request URL (IS REST service): https://localhost:5543/rad/

JSON Body:

Under Authorization Tab:

Name: Keycloak IS Access Token

Grant Type: Client Credentials

Access Token URL: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token (can be found from the realm config endpoints discussed above, search for “token_endpoint”)

Client ID: ISSvcConsumer

Client Secret: <copied from Keycloak ISSvcConsumer client “Credentials” tab>

Scope: ISServiceScope


Click the “Get New Access Token” button. You should get a success message, with a box showing your access token:


Click „Use Token“, then Send the request. Success!


This article is part of the TECHniques newsletter blog - technical tips and tricks for the Software AG community. Subscribe to receive our quarterly updates or read the latest issue.