Page History

...

Security and User Management

During the installation of Blueriq you have chosen a security mode.

The Studio Server authenticates using OpenID Connect (with Keycloak), so that users login using credentials that are managed externally.

Authorization can be achieved by mapping roles/groups provided by the external provider to Encore/Studio roles (see Group access).

Studio Server

To configure the Studio Server's connection to Keycloak, go to [Blueriq Installation directory]\Studio\Services\StudioService.exe.config and search for <security>. It contains an <oidc> element:

<oidc authority="http://localhost:15098/Keycloak/realms/BlueriqStudio15" clientid="studio-server" clientsecret="" rolespath="realm_access.roles">
  <rolemappingdao class="Aquima.Studio.Server.UserAccess.Xml.XmlRoleMappingDao, UserAccess">
    <parameters>
      <parameter value="../Configuration/Security/RoleMappings" />
    </parameters>
  </rolemappingdao>
</oidc>

The authority and client-secret have been configured during installation. To check the validity of the authority url, open [authorityUrl]/.well-known/openid-configuration in your browser, the result should be a JSON response.

To map the roles of an OIDC user to Blueriq roles, see Group access.

User Management

Studio connects to a Keycloak server provided with the Blueriq installation. Users may be managed via the admin console of the Keycloak server. This Keycloak server can also be configured to connect to an Active Directory with NTLM or Kerberos.

See the Keycloak configuration guide for more information.

Management Service

Requests to the management service should use Basic authenticationSee Studio Security Modes for a detailed description of each security mode.

Logging

If any problem occurs with authorization or authentication you can use the  audit.log to trace and find the cause.

...