Keycloak Settings for yuuvis® management console
Deprecated as of 2022 Autumn!
This Service is not part of yuuvis® Momentum anymore as of product version 2022 Autumn.
Configure Keycloak for the use of yuuvis® management console and the management console API.
Table of Contents
Introduction
yuuvis® management console uses Keycloak for authentication. Some preparations are necessary in order to apply the required settings in Keycloak. The steps of configuration and the values to be set are described in this article.
The settings are adjusted via the Keycloak Admin Console.
Creating a New Realm and Client
All users of yuuvis® management console are registered in one Keycloak realm that has to be created manually. Furthermore, it is necessary to register yuuvis® management console as a Keycloak client in order to enable authentication via Keycloak.
Create a new realm (e.g.,
YMC
).Set Display Name to management console
Set HTML Display Name to <div class="yuv-brand-logo ymc"><div class="logo"></div></div>
Create a new client within this realm (e.g.,
ymc-client
) using the Client Protocolopenid-connect
.- Adjust the client settings in the Settings tab as follows:
Set Access Type to
confidential
. The Credentials tab is added where the client secret are provided.Set the two Valid Redirect URIs
${API_HOST}/auth/callback*
and${CLIENT_HOST}
.
Setup the Realm's Client Role in the Roles tab:
- Create a new role via Add Role.
- Define the Role Name
ymc_provider
and Save the role.
Open the Client Scopes view via the navigation on the left side.
In the displayed table, click Roles and find the Settings tab opened.
- The Name should be
roles
. - Set Include In Token Scope to
ON
.
Return to the Clients view via the navigation on the left side.
Click on the Client ID of the client created earlier (e.g.,
ymc-client
)In the Mappers tab, click Create.
- Set the Name to
client roles
. - Select the Mapper Type
user client role
. - Switch
ON
Multivalued. - Set Token Claim Name to
roles.resource_access.${client_id}.roles
with your client ID inserted (e.g.,ymc-client
). - Select
string
for Claim JSON Type. - Switch
ON
Add to userinfo.
Setting up a Technical yuuvis® User
yuuvis® management console needs access to yuuvis® Momentum, too. Therefore, a separate client with a technical user having the appropriate permissions has to be configured in Keycloak.
- Select the earlier created realm (e.g.,
YMC
). Open the Clients view and click Create.
Set the Client ID
ymc-api
.- Go to the Settings
tab
. Select the Access Type
confidential
.- Switch
OFF
Standard Flow Enabled. - Switch
OFF
Direct Access Grants Enabled. Switch
ON
Service Accounts Enabled.Save the settings.
Go to the Roles tab and click Add Role.
Set the Role Name
YUUVIS_SYSTEM_INTEGRATOR
.Open the Users view via the navigation on the left side.
Add a new user (e.g.,
ymc
).Assign the client
ymc-api
roleYUUVIS_SYSTEM_INTEGRATOR
role to that user.- select
ymc-api
at Client Roles dropdown - assign role
YUUVIS_SYSTEM_INTEGRATOR
- select
Setting up a Provider yuuvis® User
This user is needed to log in to yuuvis® management console setting up organizations and its members.
- Create a user for YMC Realm.
Assign the client
ymc-client
roleymc_provider
role to that user.- select
ymc-client
at Client Roles dropdown - assign role
ymc_provider
- select
Summary
In order to use yuuvis® management console, a new realm has to be created in Keycloak. Two clients have to be registered via this realm. One client ensures the connection with yuuvis® management console, the other one allows for access to the management console API as a management service provided by yuuvis® Momentum.