You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.
By default Keycloak is installed and configured so that it can be used by the Studio using the OIDC protocol. See Studio Security Modes for information on how to switch the Studio to OIDC.
Keycloak admin credentials
The admin user for Keycloak is a different user from the admin user for the Studio. The Keycloak admin user is defined in the Master realm and used to manage the Keycloak server, while the Studio admin user is defined in a Studio-specific realm and used to manage the Studio.
The default admin credentials for Keycloak can be found in the file [Installation_Folder]\tools\keycloak\bin\kc-service.xml
It is recommended to change the admin password after installation via the Keycloak admin console. To change the admin password, take the following steps:
From the Blueriq start page, select User Management
Log in to the Keycloak Admin console using the credentials found in [Installation_Folder]\tools\keycloak\bin\kc-service.xml
Accessing Keycloak is not possible in Internet Explorer
In the top right corner, select Manage account
Select "Signing in" from the Account Security card.
Select Update from the Basic Authentication section, and choose a new password.
Click "Back to Security Admin Console" from the top left to go back to the Admin console, you may need to sign in again with the new password.
Default configuration
The default configuration is created when installing Blueriq. This configuration is contained within a Keycloak realm which is used by the Studio. This section contains an overview of what the default configuration includes.
Clients
Two clients are created in the default configuration.
- studio-server: Used by the Studio backend, this is a private client which has admin access to the Studio
- encore: Used by Encore, this is a public client which retrieves an access token on behalf of a user in order to communicate with the Studio backend
The secret for the studio-server client must also be provided to the Studio backend in [Installation_Folder]\Studio\Services\StudioService.exe.config
in the oidc and oidccustom elements. This is normally done during installation, but when generating a new secret in Keycloak this must be updated manually.
Client Scopes
A client scope studio
is included in the realm. When requesting an access token, this scope will activate mappers which add additional information to resulting access token. This information is required by the Studio backend in order to validate the token.
Groups & Roles
A group and role studio-admin
are created by default during the Studio installation. The group studio-admin has the role studio-admin assigned to it, this role is mapped to the default Administrator role in the Studio.
Users
The following users are created by default, all of them are members of the studio-admin
group, and therefore have admin access to the studio.
- admin: the admin user of the Studio
- administrationpage: used by the administration page
- runtime: used by the runtime development dashboard to retrieve projects.
Restoring the default configuration
The default configuration can be restored using the Powershell scripts located at [Installation_Folder]\Studio\Keycloak\setup-keycloak-studio-realm.ps1
For example, you can run the script as follows from the Powershell command line, replacing *** with actual passwords
setup-keycloak-studio-realm.ps1 -KeycloakUrl http://localhost:150/Keycloak -KeycloakAdmin admin -KeycloakAdminSecret *** -RealmName "BlueriqStudio15" -StudioAdmin admin -StudioAdminSecret *** -AdminPageUser administrationpage -AdminPageSecret *** -RuntimeUser runtime -RuntimeSecret *** -StudioConfigPath "C:\Program Files\Blueriq15\Studio\Services\StudioService.exe.config"
The values for KeycloakAdmin and KeycloakAdminSecret can be found in the file [Installation_Folder]\Keycloak\bin\kc-service.xml.
Changing the values in kc-service.xml after installation will have no effect. Updating the admin password must be done via the Keycloak admin console. If the password has been changed after installation, the value in the kc-service.xml will be outdated.
Values for other password can be chosen at will, but the configuration for applications that must sign in using those passwords, must also be updated.
When restoring the default configuration, the script will also update StudioService.exe.config to set the correct authority url for the newly created realm and the new client secret for the studio-server client.
Managing Users & Groups & Roles
When managing users, groups and roles, make sure that you have selected the Studio from the Realm selection menu:
Groups & Roles
Keycloak groups and roles only have effect in the Studio if you are using the oidc
security mode and there is a RoleMapping which maps the Keycloak role to a Studio role
Adding, editing and removing groups and roles in Keycloak is relatively straightforward, from the navigation panel select either Roles or Groups, and the main view will list all roles or groups. From this view you can add, edit or delete roles or groups.
Users can be added to multiple groups, and they can be assigned multiple roles.
Roles can also be assigned to groups, effectively assigning those roles to all members of the group.
Ultimately it is the roles a user has in Keycloak (either directly or via groups it is a member of) that will determine which roles (and permissions) the user has in the Studio.
Which Studio role a user has based on the given Keycloak roles is determined in the Studio configuration via the role mappings. See Studio Security Modes#RoleMappings for how to configure role mappings.
The Studio role in turn will determine which permissions a user has in the Studio. See User access and management for more information on Studio roles and permissions.
Users
Adding, editing and removing users is relatively straightforward in Keycloak. From the navigation panel select Users, the main view will not list all by default, you can choose "View all users" to load all users, or search for a user from the search bar.
Adding a new user can be done with the Add user button in the top right. Only thing to keep in mind when adding a user, is that we currently only support authentication with a password, new users must be set up so that they can sign in with a password. To do this, first create a user: only the username is required, and optionally you can assign the user to one or more groups.
Then edit the user, select Credentials and enter a password:
If the temporary toggle is on, then the user must first update their password before they can sign into the Studio.
Users can always update their password (temporary or not) in the Account console for the Studio realm at http://<domain:port>/Keycloak/realms/<realm>/account
, or http://localhost:150/Keycloak/realms/BlueriqStudio15/account in a typical installation.
User Federation: NTLM/LDAP
It is possible to link Keycloak to an Active Directory using User Federation. This will allow users to sign in using their AD credentials. To set this up:
Select User Federation from the navigation panel. From the Add provider drop-down, select ldap
.
As Edit Mode, choose READ_ONLY
You may need to consult your administrator in order to fill in the following fields.
Select which vendor is used, this will prefill the next 4 fields with sensible defaults:
Enter the connection url, including the ldap://
prefix. The following command line command may assist in determining the correct url: nslookup -type=all _ldap._tcp
.
Select where in the LDAP tree Keycloak can find the Studio users that should be able to log in, for example CN=MyStudioUsers,DC=company,DC=com
.
Select which credentials Keycloak will use to query the AD, for example as CN=Keycloak,CN=Services,DC=company,DC=com
.
Test authentication to ensure the configuration works.
User Federation: Kerberos
It is possible to link Keycloak to an Active Directory with the Kerberos protocol using User Federation. This will allow users to sign in using their AD credentials. To set this up:
Select User Federation from the navigation panel. From the Add provider drop-down, select kerberos
.
Enter the Kerberos Realm
Enter the principal for the server
Enter the location of the keytab file containing credentials of the given principal.
Set Allow Password Authentication to On:
Set Edit Mode to READ_ONLY
In order to test it, a AD user can try to sign in to the Account console for the Studio realm at http://<domain:port>/Keycloak/realms/<realm>/account