Versions Compared

Old Version 22

changes.mady.by.user Ferdy van Varik

Saved on

compared with

New Version 23

changes.mady.by.user Tijmen Daatselaar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Keycloak admin credentials

During the installation of Blueriq using the installer, a Keycloak user named admin is created for which a password needs to be specified.

Note

The admin user for Keycloak is a different user from the admin user for Encore and the Studio server. The Keycloak admin user is defined in the Master realm and used to manage the Keycloak server, while the Encore (and Studio server) admin user is defined in a Studio-specific realm and used to manage the Studio.

The default admin credentials for Keycloak can be found in the file [Installation_Folder]\tools\keycloak\bin\kc-service.xml

It is recommended to change the admin password after installation via the Keycloak admin console. To change the admin password, take the following steps:

From the Blueriq start page, select User Management

Image RemovedImage Added

Log in to the Keycloak Admin console using the credentials found in [Installation_Folder]\tools\keycloak\bin\kc-service.xmlthe user named admin and the password as created during the installation.

Note

Accessing Keycloak is not possible in Internet Explorer

In the top right corner, select Manage account

Image RemovedImage Added


Select "Signing in" from the Account Security card.

Image RemovedImage Added


Select Update from the Basic Authentication section, and choose a new password.

Image RemovedImage Added


Click "Back to Security Admin Console" from the top left to go back to the Admin console, you may need to sign in again with the new password.

...

The default configuration is created when installing Blueriq. This configuration is contained within a Keycloak realm which is used by Encore and the Studio server. This section contains an overview of what the default configuration includes.

...

A group and role studio-admin are created by default during the Studio installation. The group studio-admin has the role studio-admin assigned to it, this role is mapped to the default Administrator role in the Studio server.

Users

The following users are created by default, all of them are members of the studio-admin  group, and therefore have admin access to the studioStudio server.

  • admin: the admin user of the Studioadministrationpage: used by the administration pageEncore
  • runtime: used by the runtime development dashboard to retrieve projects.

Restoring the default configuration

...

When managing users, groups and roles, make sure that you have selected the Studio from the Realm selection menu:

Image RemovedImage Added

Groups & Roles

Note

Keycloak groups and roles only have effect in Encore and the Studio server if you are using the oidc security mode and there is a RoleMapping which maps the Keycloak role to a Studio role in Encore

Adding, editing and removing groups and roles in Keycloak is relatively straightforward, from the navigation panel select either Roles or Groups, and the main view will list all roles or groups. From this view you can add, edit or delete roles or groups.

...

Roles can also be assigned to groups, effectively assigning those roles to all members of the group.

Ultimately it is the roles a user has in Keycloak (either directly or via groups it is a member of) that will determine which roles (and permissions) the user has in Encore and the Studio server.

Which Studio role a user has based on the given Keycloak roles is determined in the Studio configuration via the role mappings. See Studio Security Modes for how to configure role mappings.

...

Then edit the user, select Credentials and enter a password:

Image RemovedImage Added

If the temporary toggle is on, then the user must first update their password before they can sign into the StudioEncore.

Users can always update their password (temporary or not) in the Account console for the Studio realm at http://<domain:port>/Keycloak/realms/<realm>/account, or http://localhost:150160/Keycloak/realms/BlueriqStudio15/account in a typical installation.

User Federation: NTLM/LDAP

Note

You may need to consult your administrator in order to fill in the following fields.

It is possible to link Keycloak to an Active Directory using User Federation. This will allow users to sign in using their AD credentials. To set this up:

  1. Select User Federation from the navigation panel. From the Add provider drop-down, select ldap.

Image Removed

As Edit Mode, choose READ_ONLY

Image Removed

Note

You may need to consult your administrator in order to fill in the following fields.

  1. Image Added

  2. Select which vendor is used

...

  1. :

...

Image Removed

Select where in the LDAP tree Keycloak can find the Studio users that should be able to log in, for example CN=MyStudioUsers,DC=company,DC=com.

Image Removed

  1. Image Added


  2. Enter the connection url, including the ldap:// prefix. The following command line command may assist in determining the correct url: nslookup -type=all _ldap._tcp.

...

  1. Image Added


  1. Select which credentials Keycloak will use to query the AD, for example as CN=Keycloak,CN=Services,DC=company,DC=com.

...

  1. Image Added
  2. Test authentication to ensure the configuration works.
  3. As Edit Mode, choose READ_ONLY
    Image Added
  4. Select where in the LDAP tree Keycloak can find the Studio users that should be able to log in, for example CN=MyStudioUsers,DC=company,DC=com.Image Added
  5. Save your changes
  6. Sync all users in the top right corner:
    Image Added

User Federation: Kerberos

...