Configure Keycloak for the use of yuuvis® management console and the management console API.

Introduction

yuuvis® management console uses Keycloak for authentication. Some preparations are necessary in order to apply the required settings in Keycloak. The steps of configuration and the values to be set are described in this article.

The settings are adjusted via the Keycloak Admin Console.

Creating a New Realm and Client

All users of yuuvis® management console are registered in one Keycloak realm that has to be created manually. Furthermore, it is necessary to register yuuvis® management console as a Keycloak client in order to enable authentication via Keycloak.

• Create a new realm (e.g., YMC).

  • Set Display Name to management console

  • Set HTML Display Name to <div class="yuv-brand-logo ymc"><div class="logo"></div></div>

• Create a new client within this realm (e.g., ymc-client) using the Client Protocol openid-connect.

• Adjust the client settings in the Settings tab as follows:

  • Set Access Type to confidential. The Credentials tab is added where the client secret are provided.

  • Set the two Valid Redirect URIs ${API_HOST}/auth/callback* and ${CLIENT_HOST}.

• Setup the Realm's Client Role in the Roles tab:

  • Create a new role via Add Role.
  • Define the Role Name ymc_provider and Save the role.

• Open the Client Scopes view via the navigation on the left side.

  • In the displayed table, click Roles and find the Settings tab opened.

  • The Name should be roles.
  • Set Include In Token Scope to ON.

• Return to the Clients view via the navigation on the left side.

  • Click on the Client ID of the client created earlier (e.g., ymc-client)

  • In the Mappers tab, click Create.

  • Set the Name to client roles.
  • Select the Mapper Type user client role.
  • Switch ON Multivalued.
  • Set Token Claim Name to roles.resource_access.${client_id}.roles with your client ID inserted (e.g., ymc-client).
  • Select string for Claim JSON Type.
  • Switch ON Add to userinfo.

Setting up a Technical yuuvis® User

yuuvis® management console needs access to yuuvis® Momentum, too. Therefore, a separate client with a technical user having the appropriate permissions has to be configured in Keycloak.

• Select the earlier created realm (e.g., YMC).

• Open the Clients view and click Create.

• Set the Client ID ymc-api.

• Go to the Settings tab.

• Select the Access Type confidential.

• Switch OFF  Standard Flow Enabled.
• Switch OFF  Direct Access Grants Enabled.

• Switch ON Service Accounts Enabled.

• Save the settings.

• Go to the Roles tab and click Add Role.

• Set the Role Name YUUVIS_SYSTEM_INTEGRATOR.

• Open the Users view via the navigation on the left side.

• Add a new user (e.g., ymc).

• Assign the client ymc-api  role  YUUVIS_SYSTEM_INTEGRATOR  role to that user.

  • select ymc-api  at Client Roles dropdown
  • assign role YUUVIS_SYSTEM_INTEGRATOR  

Setting up a Provider yuuvis® User

This user is needed to log in to yuuvis® management console setting up organizations and its members.

• Create a user for YMC Realm.

• Assign the client ymc-client  role  ymc_provider  role to that user.

  • select ymc-client  at Client Roles dropdown
  • assign role ymc_provider  

Summary

In order to use yuuvis® management console, a new realm has to be created in Keycloak. Two clients have to be registered via this realm. One client ensures the connection with yuuvis® management console, the other one allows for access to the management console API as a management service provided by yuuvis® Momentum.