Versions Compared

Version Old Version 37 New Version 38
Changes made by

Technische Redaktion

Technische Redaktion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idDONErDEV

Product Version
Report Note
Assignee

Resources & Remarks

Always keep at the same state! enaio - official help: https://help.optimal-systems.com/enaio/v910/admin/administrator/en/dienste/idprovider.htm
... with first 3 sections of this page.

yuuvis Impulse: https://wiki.optimal-systems.de/pages/viewpage.action?spaceKey=MAN&title=Keycloak

yuuvis Momentum & enaio: https://wiki.optimal-systems.de/display/EnaioServices/Keycloak

  • Antje: page started as collection of existing information, has to be split later on in yuuvis and enaio part and translated.
  • Antje: installation guide copied from official enaio documentation (English version) and modified for yuuvis.
  • Antje: information for yuuvis added (from Oktopus wiki)

Modification History

NameDateProduct VersionAction
Antje08 FEB 20212.4New page properties macro.
Antje27 SEP 20212021 WinterImpersonation Section added.

Impersonation

In order to allow users with specific role to log in as any other user, impersonation can be activated in Keycloak. Thus, users with the specific role can use their own password to log in for the account of any other user within their tenant. In Keycloak, the feature is realized via impersonation by means of token exchange.

Activate Token Exchange

Open the StatefulSet of Keycloak in your Kubernetes cluster for editing by running the command:

Code Block
languagebash
kubectl -n infrastructure edit statefulset keycloak

Extend the containers section as follows:

Code Block
languageyml
containers:
  - args:
    - -Dkeycloak.profile.feature.token_exchange=enabled
    - -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
  • Restart Keycloak.

    • Configure User Account and Keycloak Clients

    • Call the Keycloak Admin Console: http://localhost:8080/auth/admin
    • Select the user you want to grant access to other user accounts and switch to the tab Role Mappings.
    • Display the Client Roles for the realm-management client and assign its impersonation role to the user.
    • In the same realm, select the client admin-cli and switch to the Permissions tab.
    • Flip the switch Permissions Enabled to ON.
    • In the appearing table, click token-exchange in the column scope-name.
    • From the selection list Create Policy in the section Apply Policy, choose Role.
    • Name it impersonation-policy.
    • From the Realm Roles selection list, choose the administrative role that will enable users to impersonate other users within their tenant. Tick the Required checkbox.
    • From the Clients selection list, choose realm-management.
    • From the Client Roles selection list, choose impersonation. Tick the Required checkbox.
    • Save the configuration for the policy.
    • Save the configuration for the permission settings.

    Testing Impersonation with cURL

    The following commands use an administrative user root with the password changeme belonging to the tenant tenant1 that has the impersonation authorization as configured before. This user requests access to the account of the user specified by the ID cc14e5d4-e8da-4108-92ad-c87066aed4c3.

    Request a token for the administrative user with the impersonation authorization:

    Code Block
    languagebash
    curl -k ^
  -d "client_id=admin-cli" ^
  -d "username=root" ^
  -d "password=changeme" ^
  -d "grant_type=password" ^
  "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"

    Request a token for the account of the target user where the login is needed. The previously retrieved token of the administrative user is referenced as subject_token whereas the ID of the target user is specified as requested_subject.

    Code Block
    languagebash
    curl -k ^
  -H "Content-Type: application/x-www-form-urlencoded" ^
  -d "client_id=admin-cli" ^
  -d "requested_subject=cc14e5d4-e8da-4108-92ad-c87066aed4c3" ^
  -d "subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJueEZ..." ^
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" ^
  "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"
    The retrieved token can be used by the administrative user root in order for the authentication to yuuvis® Momentum with the account of the target user
    .

    The following command retrieves user-specific information on the user who will be logged in with the token specified in the authorization header. Check for the token retrieved before if it identifies the desired target user. Thus, in this example, the command should retrieve a data set for the user with ID cc14e5d4-e8da-4108-92ad-c87066aed4c3.

    Code Block
    languagebash
    curl -k ^
  --request GET ^
  --url "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/userinfo" ^
  --header "accept: application/json" ^
  --header "authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi1dXVSZ3daQldhTTJZaXNlZElFXzg..."



    Excerpt

    Guideline for manual installation and configuration of keycloak as an identity provider for yuuvis® Momentum.

    ...

    • Call the Keycloak Admin Console: http://localhost:8080/auth/admin/
    • Select the tenant and and add the host name of the web page via Realm SettingsSecurity DefensesContent-Security-Policyframe-ancestors.
      Multiple host names are seperated by blank spaces.

    Anchor
    Impersonation
    Impersonation

    Impersonation

    In order to allow users with specific role to log in as any other user, impersonation can be activated in Keycloak. Thus, users with the specific role can use their own password to log in for the account of any other user within their tenant. In Keycloak, the feature is realized via impersonation by means of token exchange.

    Activate Token Exchange

    • Open the StatefulSet of Keycloak in your Kubernetes cluster for editing by running the command:

      Code Block
      languagebash
      kubectl -n infrastructure edit statefulset keycloak


    • Extend the containers section as follows:

      Code Block
      languageyml
      containers:
  - args:
    - -Dkeycloak.profile.feature.token_exchange=enabled
    - -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled


    • Restart Keycloak.

    Configure User Account and Keycloak Clients

    • Call the Keycloak Admin Console: http://localhost:8080/auth/admin
    • Select the user you want to grant access to other user accounts and switch to the tab Role Mappings.
    • Display the Client Roles for the realm-management client and assign its impersonation role to the user.
    • In the same realm, select the client admin-cli and switch to the Permissions tab.
    • Flip the switch Permissions Enabled to ON.
    • In the appearing table, click token-exchange in the column scope-name.
    • From the selection list Create Policy in the section Apply Policy, choose Role.
    • Name it impersonation-policy.
    • From the Realm Roles selection list, choose the administrative role that will enable users to impersonate other users within their tenant. Tick the Required checkbox.
    • From the Clients selection list, choose realm-management.
    • From the Client Roles selection list, choose impersonation. Tick the Required checkbox.
    • Save the configuration for the policy.
    • Save the configuration for the permission settings.

    Testing Impersonation with cURL

    The following commands use an administrative user root with the password changeme belonging to the tenant tenant1 that has the impersonation authorization as configured before. This user requests access to the account of the user specified by the ID cc14e5d4-e8da-4108-92ad-c87066aed4c3.

    • Request a token for the administrative user with the impersonation authorization:

      Code Block
      languagebash
      curl -k ^
  -d "client_id=admin-cli" ^
  -d "username=root" ^
  -d "password=changeme" ^
  -d "grant_type=password" ^
  "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"


    • Request a token for the account of the target user where the login is needed. The previously retrieved token of the administrative user is referenced as subject_token whereas the ID of the target user is specified as requested_subject.

      Code Block
      languagebash
      curl -k ^
  -H "Content-Type: application/x-www-form-urlencoded" ^
  -d "client_id=admin-cli" ^
  -d "requested_subject=cc14e5d4-e8da-4108-92ad-c87066aed4c3" ^
  -d "subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJueEZ..." ^
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" ^
  "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"

      The retrieved token can be used by the administrative user root in order for the authentication to yuuvis® Momentum with the account of the target user.

    • The following command retrieves user-specific information on the user who will be logged in with the token specified in the authorization header. Check for the token retrieved before if it identifies the desired target user. Thus, in this example, the command should retrieve a data set for the user with ID cc14e5d4-e8da-4108-92ad-c87066aed4c3.

      Code Block
      languagebash
      curl -k ^
  --request GET ^
  --url "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/userinfo" ^
  --header "accept: application/json" ^
  --header "authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi1dXVSZ3daQldhTTJZaXNlZElFXzg..."


    Summary

    This article explained how to install and configure Keycloak as an identity provider and access management system for yuuvis® Momentum in a manual procedure.

    ...