Everything within this section is only visible while editing. Use Page Properties ID "STUB", "REFACTURE", "PROGRESS", "rDEV", "rDOC", "rLANG" and "DONE".

Everything contained within the table is displayed in the (INTERNAL) Reports page.

Product Version
Report Note
Assignee

Resources & Remarks

Modification History

Add a new line to this table and fill it whenever you edit the page.

Name	Date	Product Version	Action
Antje	17 MAY 2021	2021 Summer	created for new structure
Antje	08 FEB 2022	2022 Spring	add description of custom idm proxy

Connection between identity provider and additional services. It can also be used as interface for role and user management for a tenant and to create and delete tenants in Keycloak.

Characteristics

Service Name	`tenant-management`
Port Range	`8080`
Profiles	`prod,oauth2`
Helm Chart	`client`
Public API	Tenant Management Endpoints

Function

Service that is responsable for the retrieval of information from the connected identity provider for Web-API Gateway, clients and business process management (if configured). Thus, you can connect any identity provider working with OAuth2.

In combination with Keycloak, it additionally provides the tenant and user management functionality used by yuuvis® architect.

Provides the API:

>> Tenant Management Endpoints

Requirements

>> yuuvis® Momentum Requirements - Tenant Management API

Configuration

Working with Keycloak

First, create an initial Keycloak realm. Then create a user with the YUUVS_SYSTEM_INTEGRATOR role within this realm.
Users calling endpoints of the system controller need the YUUVIS_SYSTEM_INTEGRATOR role.
Users calling endpoints of the admin controller need the YUUVIS_TENANT_ADMIN role and must be a member of the Keycloak realm that is created when creating a yuuvis® Momentum tenant.
Before creating the first tenant, the profile has to be saved via POST /tenant-management/api/system/profile by a user with the YUUVS_SYSTEM_INTEGRATOR role.
As of 2023 Summer, a redirect URI can be configured in the application-oauth2.yml configuration file for a successful log-out process.

Working with any Identity Provider via OAuth2

As of 2022 Spring, the service can be configured such that the idm-controller endpoints retrieve their information from a custom IDM proxy. The TENANT-MANAGEMENT service will call the custom proxy with an internal JSON Web Token (JWT) in the request header. This proxy can be used to connect other identity providers than Keycloak for reading purposes. An example proxy service is available as a beta version on request.
Note: If the service is not combined with Keycloak, all endpoints not belonging to the idm-controller are not available and return a 404 error.

In order to connect such a custom IDM proxy, create a tenant-management-prod.yml configuration file with the following parameters:

idm:
  custom:
    enabled: true
    base-url: http://IDM_HOST:port