Use a protected service in QGIS

This how-to describes how to use a service secured with security.manager for OGC in QGIS.

The following description is based on version 3.44.2 of QGIS Desktop.

Create a new connection

  1. In QGIS, under Browser, select the service type and create a New connection by right-clicking.

  2. Give the connection an appropriate name.

  3. For the URL, enter the URL of the protected service, for example https://secman.example.com/secman-ogc/path/to/my-services/wms.

  4. Under Authentication in the Configurations tab, select the authentication for security.manager for OGC. If no suitable authentication is available, create a new authentication.

  5. Make additional service-specific settings.

  6. Save the new connection.

Create new authentication

This step is necessary if you have not yet created suitable authentication for the protected service.

  1. Select the + next to the dropdown with the authentications to create a new authentication. Alternatively, you can create it under Settings > Options > Authentication.

  2. Give the authentication an appropriate name.

  3. Select OAuth2 authentication as the method.

  4. Under Configure, enter the following data:

    Grant flow

    Authorization Code

    Request URL

    The authorization endpoint of the identity provider, for example:
    https://keycloak.example.com/realms/secman-realm/protocol/openid-connect/auth or
    https://arcgis.example.com/portal/sharing/rest/oauth2/authorize

    Token URL

    The token endpoint of the identity provider, for example:
    https://keycloak.example.com/realms/secman-realm/protocol/openid-connect/token or
    https://arcgis.example.com/portal/sharing/rest/oauth2/token

    Redirect URL

    http://127.0.0.1:7070

    Client ID

    The ID of the identity service in the identity provider, for example, identity-service

    Client secret

    The secret corresponding to the client ID

    Scope

    openid profile email

    Access method

    Header (Bearer Authorization Header) or URL Query (?access_token parameter)

    You can find the Keycloak endpoints on the https://keycloak.example.com/realms/secman-realm/.well-known/openid-configuration page.

Add service to the map

  1. Under Browser, select the connection to the service you want to add. Clicking on the service will check if you are authenticated.

  2. If you are not authenticated, the login page will open in the browser, and you can log in.

  3. Once the authentication is verified, the available layers of the service will be displayed, and you can add them to the map via drag & drop.