Connection between identity provider and additional services. It can also be used as interface for role and user management for a tenant and to create and delete tenants in Keycloak.

Table of Contents

Characteristics

Service Name	`tenant-management`
Port Range	`8080`
Profiles	`prod,oauth2`
Helm Chart	`client`
Public API	Tenant Management Endpoints

Function

Service that is responsable for the retrieval of information from the connected identity provider for Web-API Gateway, clients and business process management (if configured). Thus, you can connect any identity provider working with OAuth2.

In combination with Keycloak, it additionally provides the tenant and user management functionality used by yuuvis® architect.

Provides the API:

>> Tenant Management Endpoints

Requirements

>> yuuvis® Momentum Requirements - Tenant Management API

Configuration

Working with Keycloak

First, create an initial Keycloak realm. Then create a user with the YUUVS_SYSTEM_INTEGRATOR role within this realm.
Users calling endpoints of the system controller need the YUUVIS_SYSTEM_INTEGRATOR role.
Users calling endpoints of the admin controller need the YUUVIS_TENANT_ADMIN role and must be a member of the Keycloak realm that is created when creating a yuuvis® Momentum tenant.
Before creating the first tenant, the profile has to be saved via POST /tenant-management/api/system/profile by a user with the YUUVS_SYSTEM_INTEGRATOR role.
As of 2023 Summer, a redirect URI can be configured in the application-oauth2.yml configuration file for a successful log-out process.

Working with any Identity Provider via OAuth2

As of 2022 Spring, the service can be configured such that the idm-controller endpoints retrieve their information from a custom IDM proxy. The TENANT-MANAGEMENT service will call the custom proxy with an internal JSON Web Token (JWT) in the request header. This proxy can be used to connect other identity providers than Keycloak for reading purposes. An example proxy service is available as a beta version on request.
Note: If the service is not combined with Keycloak, all endpoints not belonging to the idm-controller are not available and return a 404 error.

In order to connect such a custom IDM proxy, create a tenant-management-prod.yml configuration file with the following parameters:

idm:
  custom:
    enabled: true
    base-url: http://IDM_HOST:port

The handling of profile-related configuration files is described for the core system.
>> Configuring Services using Profiles

Browser not supported