Deprecated as of 2022 Autumn!

This Service is not part of yuuvis® Momentum anymore as of product version 2022 Autumn.

Configure Keycloak for the use of yuuvis® management console and the management console API.

Table of Contents

Introduction

yuuvis® management console uses Keycloak for authentication. Some preparations are necessary in order to apply the required settings in Keycloak. The steps of configuration and the values to be set are described in this article.

The settings are adjusted via the Keycloak Admin Console.

Creating a New Realm and Client

All users of yuuvis® management console are registered in one Keycloak realm that has to be created manually. Furthermore, it is necessary to register yuuvis® management console as a Keycloak client in order to enable authentication via Keycloak.

Create a new realm (e.g., YMC).
- Set Display Name to management console
- Set HTML Display Name to <div class="yuv-brand-logo ymc"><div class="logo"></div></div>
Create a new client within this realm (e.g., ymc-client) using the Client Protocol openid-connect.
Adjust the client settings in the Settings tab as follows:
- Set Access Type to confidential. The Credentials tab is added where the client secret are provided.
- Set the two Valid Redirect URIs ${API_HOST}/auth/callback* and ${CLIENT_HOST}.
Setup the Realm's Client Role in the Roles tab:
- Create a new role via Add Role.
- Define the Role Name ymc_provider and Save the role.
Open the Client Scopes view via the navigation on the left side.
- In the displayed table, click Roles and find the Settings tab opened.
- The Name should be roles.
- Set Include In Token Scope to ON.
Return to the Clients view via the navigation on the left side.
- Click on the Client ID of the client created earlier (e.g., ymc-client)
- In the Mappers tab, click Create.
- Set the Name to client roles.
- Select the Mapper Type user client role.
- Switch ON Multivalued.
- Set Token Claim Name to roles.resource_access.${client_id}.roles with your client ID inserted (e.g., ymc-client).
- Select string for Claim JSON Type.
- Switch ON Add to userinfo.

Setting up a Technical yuuvis® User

yuuvis® management console needs access to yuuvis® Momentum, too. Therefore, a separate client with a technical user having the appropriate permissions has to be configured in Keycloak.

Select the earlier created realm (e.g., YMC).
Open the Clients view and click Create.
Set the Client ID ymc-api.
Go to the Settings tab.
Select the Access Type confidential.
Switch OFF Standard Flow Enabled.
Switch OFF Direct Access Grants Enabled.
Switch ON Service Accounts Enabled.
Save the settings.
Go to the Roles tab and click Add Role.
Set the Role Name YUUVIS_SYSTEM_INTEGRATOR.
Open the Users view via the navigation on the left side.
Add a new user (e.g., ymc).
Assign the client ymc-api role YUUVIS_SYSTEM_INTEGRATOR role to that user.
- select ymc-api at Client Roles dropdown
- assign role YUUVIS_SYSTEM_INTEGRATOR

Setting up a Provider yuuvis® User

This user is needed to log in to yuuvis® management console setting up organizations and its members.

Create a user for YMC Realm.
Assign the client ymc-client role ymc_provider role to that user.
- select ymc-client at Client Roles dropdown
- assign role ymc_provider

Summary

In order to use yuuvis® management console, a new realm has to be created in Keycloak. Two clients have to be registered via this realm. One client ensures the connection with yuuvis® management console, the other one allows for access to the management console API as a management service provided by yuuvis® Momentum.

Read on

yuuvis® Momentum Settings for yuuvis® management console

Configure the cluster to enable the tenant management API to create and modify tenants. Keep reading

Tenant Creation Profile

Set up a tenant creation profile that defines the initial properties of tenants created via Tenant Management API. Keep reading

Tenant Management Endpoints

These endpoints can be used to retrieve information from the identity provider. Role and user management for a tenant and to create and delete tenants in Keycloak. Keep reading

Browser not supported