Follow these steps to set up GEOAxIS Authentication for the first time if this instance should have GEOAxIS Authentication enabled. Here are the instructions to configure keycloak to use GEOAxIS as an identity provider (IP).

Please make sure to obtain the following prerequisites:

GEOAxIS values:

  • Issuer
  • Client ID
  • Client Secret


For our Unclassified Development environment ( openid-configuration

The issuer for that environment is

Client ID & secret



Please talk to Labelbox support if the file CSaas_Examples.docx is needed.

The following steps need to be completed in order to obtain the client ID and secret. Steps should be executed in the order outlined below:

  1. Generate a user and NPE certificate via CAaaS. See CSaas_Examples.docx
  2. Provide GEOAxIS with the CN of your NPE
  3. Using your user certificate, create & Submit a Consumer Registration at
  4. Complete Environment Registration
    • Make sure to select “OAuth” during Goal Specification section
  5. Create OIDC Client
    • Section 3.6.1 of the Identity Broker Integration guide outlines how to create the OIDC client. The response will include the client ID and client secret information and an NPE that has been registered and/or given access to the Identity Broker service is required to create the client

GEOAxIS setup

  1. Visit the keycloak admin console by browsing to keycloak.<YOURDOMAIN.COM>. Login with the original keycloak credentials provided from the installation process.

  2. On the left hand console, select identity providers & then select “OpenID Connect v1.0”

  3. Please ensure that the “Alias” field is set to “geoaxis” so that the redirect url of this identity provider matches the one that was used to create the openid client. Keycloak can import most of the IP settings automatically. Scroll to the bottom of the page and find the field “Import from URL”. The openid configuration urls take the form:


  4. Enter in client_id and client_secret from the oidc registration process above.

  5. Ensure Client Authentication is set to Client secret sent as basic auth

  6. Clear cookies and cache for your browser and login to the app at https://app.<YOURDOMAIN.COM>

Did this page help you?