Versions Compared

Old Version 25

changes.mady.by.user Tijmen Daatselaar

Saved on

compared with

New Version Current

changes.mady.by.user Tijmen Daatselaar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

By default Keycloak is installed and configured so that it can be used by Encore and the Studio server using the OIDC protocol. See Studio Security Modes for information on how to use OIDC.

Keycloak admin credentials

During the installation of Blueriq using the installer, a Keycloak user named admin is created for which a password needs to be specifiedhas been specified during the installation as well.

Note

The admin user for Keycloak is a different user from the admin user for Encore and the Studio server. The Keycloak admin user is defined in the Master realm and used to manage the Keycloak server, while the Encore (and Studio server) admin user is defined in a Studio-specific realm and used to manage the Studio.

...

The secret for the studio-server client must also be provided to the Studio backend in [Installation_Folder]\Studio\Services\StudioService.exe.config in the oidc and oidccustom elements element. This is normally done during installation, but when generating a new secret in Keycloak this must be updated manually.

...

When restoring the default configuration, the script will also update StudioService.exe.config to set the correct authority url for the newly created realm and the new client secret for the studio-server client.

Managing Users & Groups & Roles

When managing users, groups and roles, make sure that you have selected the Studio from the Realm selection menu:

Image Removed

Groups & Roles

Note

Keycloak groups and roles only have effect in Encore and the Studio server if you are using the oidc security mode and there is a RoleMapping which maps the Keycloak role to a role in Encore

Adding, editing and removing groups and roles in Keycloak is relatively straightforward, from the navigation panel select either Roles or Groups, and the main view will list all roles or groups. From this view you can add, edit or delete roles or groups.

Users can be added to multiple groups, and they can be assigned multiple roles.

Roles can also be assigned to groups, effectively assigning those roles to all members of the group.

Ultimately it is the roles a user has in Keycloak (either directly or via groups it is a member of) that will determine which roles (and permissions) the user has in Encore and the Studio server.

Which Studio role a user has based on the given Keycloak roles is determined in the Studio configuration via the role mappings. See Studio Security Modes for how to configure role mappings.

The Studio role in turn will determine which permissions a user has in the Studio. See User access and management for more information on Studio roles and permissions.

Users

Adding, editing and removing users is relatively straightforward in Keycloak. From the navigation panel select Users, the main view will not list all by default, you can choose "View all users" to load all users, or search for a user from the search bar.

Adding a new user can be done with the Add user button in the top right. Only thing to keep in mind when adding a user, is that we currently only support authentication with a password, new users must be set up so that they can sign in with a password. To do this, first create a user: only the username is required, and optionally you can assign the user to one or more groups.

Then edit the user, select Credentials and enter a password:

Image Removed

If the temporary toggle is on, then the user must first update their password before they can sign into Encore.

Users can always update their password (temporary or not) in the Account console for the Studio realm at http://<domain:port>/Keycloak/realms/<realm>/account, or http://localhost:160/Keycloak/realms/BlueriqStudio15/account in a typical installation.

User Federation: NTLM/LDAP

...

  1. Select User Federation from the navigation panel. From the Add provider drop-down, select ldap.


  2. Select which vendor is used:



  3. Enter the connection url, including the ldap:// prefix. The following command line command may assist in determining the correct url: nslookup -type=all _ldap._tcp.


  4. Select which credentials Keycloak will use to query the AD, for example as CN=Keycloak,CN=Services,DC=company,DC=com.
  5. Test authentication to ensure the configuration works.
  6. As Edit Mode, choose READ_ONLY
  7. Select where in the LDAP tree Keycloak can find the Studio users that should be able to log in, for example CN=MyStudioUsers,DC=company,DC=com.
  8. Save your changes
  9. Sync all users in the top right corner:

...

  1. Select User Federation from the navigation panel and then select "Add Kerberos providers".
  2. Choose a UI display name
  3. Enter the Kerberos Realm
    Image Modified
  4. Enter the principal for the server 
    Image Modified
  5. Enter the location of the keytab file containing credentials of the given principal
  6. Set Allow Password Authentication to On:
  7. Set Edit Mode to READ_ONLY
  8. In order to test it, a AD user can try to sign in to the Account console for the Studio realm at http://<domain:port>/Keycloak/realms/<realm>/account