Add SSO (Keycloak) information to NetBox docs

docs/services/netbox.md

@@ -58,6 +58,7 @@ You can remove the `netbox_path_prefix` variable definition, to make it default
 
 If `netbox_environment_variable_superuser_*` variables are specified, NetBox will try to create the user (if missing).
 
+[Single-Sign-On](#single-sign-on-sso-integration) is also supported.
 
 ### Redis
 
@@ -198,6 +199,54 @@ netbox_container_additional_networks_custom:
 ########################################################################
 ```
 
+### Single-Sign-On (SSO) integration
+
+NetBox supports different [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/) backends, including those provided by the [Python Social Auth](https://python-social-auth.readthedocs.io/) library. This library is included in the NetBox container image by default, so you can invoke any [backend](https://github.com/python-social-auth/social-core/tree/master/social_core/backends) provided by it.
+
+Each module's Python file contains detailed information about how to configure it. It should be noted that module-specific configuration is passed as Python configuration (via `netbox_configuration_extra_python`), and **not as environment variables**.
+
+We have detailed information about integrating with [Keycloak](keycloak.md) below.
+You can use the configuration in the [Keycloak section](#keycloak) as a template for configuring other backends.
+
+#### Keycloak
+
+To integrate with [Keycloak](keycloak.md) use the following **additional** configuration:
+
+```yaml
+
+netbox_environment_variables_additional_variables: |
+  REMOTE_AUTH_ENABLED=True
+  REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2
+
+netbox_configuration_extra_python: |
+  # These need to match your Client app information in Keycloak. See below
+  SOCIAL_AUTH_KEYCLOAK_KEY = ''
+  SOCIAL_AUTH_KEYCLOAK_SECRET = ''
+
+  # The value for this is retrieved from Keycloak -> Realm Settings -> Keys tab -> Public key button for RS256
+  SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = ''
+
+  # The value for these are retrieved from Keycloak -> Realm Settings -> General tab -> OpenID Endpoint Configuration button
+  SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/auth'
+  SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/token'
+
+# If Keycloak is running on the same server, uncomment the lines below
+# and replace HOSTNAME with the hostname of the Keycloak server (e.g. mash.example.com or keycloak.example.com).
+# netbox_container_extra_arguments:
+#  - --add-host=HOSTNAME:{{ ansible_host }}
+```
+
+The Client app needs to be created and configured in a special way on the Keycloak side by:
+
+- activating **Client authentication**
+- in **Advanced**, changing the following settings:
+  - **Request object signature algorithm** = `RS256`
+  - **Request object signature algorithm** = `RS256`
+- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and add a new mapper with the following settings:
+  - **Name** = anything you like (e.g. `netbox-audience`)
+  - **Included Client Audience** = the key of this Client app (e.g. `netbox`)
+  - **Add to access token** = On
+
 
 ## Installation