User authentication
Authorization Hub authenticates users through Keycloak. You can use a standard username-and-password flow, or preferably, integrate with an external Identity Provider (IdP) to centralize user management and streamline the login experience.
If you don't configure an IdP, Keycloak applies a default password policy during account setup. To modify these settings, read the Password policy section below.
Only Tenant admins can perform the procedures in this section.
Access Keycloak
Follow the steps below to access the Keycloak administration console:
- Append
../auth/admin/hub/console/to your Authorization Hub deployment URL. - Log in to your Authorization Hub account if you haven't already done so.
- The Keycloak console will open with the Authorization Hub realm selected by default.
You are now ready to perform any of the procedures listed below.
Only the Keycloak settings explicitly described in the Authorization Hub documentation are supported. Axiomatics assumes no liability for the use of non-documented configuration options.
Password policy
Keycloak enforces a default password policy when users set up their accounts. The policy requires:
| Requirement | Specification |
|---|---|
| Length | A minimum of 12 characters |
| Numbers | At least one digit |
| Uppercase | At least one uppercase letter |
| Special characters | At least one symbol (!, @, #, etc.) |
If the default password policy does not meet your organization's security requirements, follow these steps to modify it.
- In the Keycloak menu, under Configure, click Authentication.
- Switch to the Policies tab.
- Adjust the values according to your requirements.
- Click Save to apply your updated password policy.
Integrate Identity Providers (IdP)
We recommend configuring an Identity Provider (IdP) before inviting users.
Connecting an IdP lets users log in through your existing enterprise identity system instead of managing a separate password for Authorization Hub. Keycloak acts as the bridge between Authorization Hub and your IdP.
Set up your IdP following the Integrating identity providersOpens in a new tab instructions in the Keycloak documentation.
Once the initial setup is complete, open the IdP you just configured and set the following options under Advanced settings:
Parameter Value Trust Email On (optional) First login flow override hub-first-broker-validationPost login flow hub-post-broker-validationSync mode Force Click Save to finalize the IdP configuration.
Optionally, sync the profile picture stored in the IdP as follows:
Switch to the Mappers tab.
Click Add Mapper and set the following:
Parameter Value Name A descriptive name for this mapper Sync mode override Inherit Social Profile JSON Field Path The field in your IdP that holds the picture URL. For Google, this is picture.User Attribute Name pictureClick Save to store the mapper configuration.
After configuration, the login screen shows the IdP login button alongside the standard username and password fields.
In environments where an IdP is configured, new users invited to the Authorization Hub receive an email instructing them to log in using the IdP. Otherwise, the email prompts users to set up their password.
If a user was invited before an IdP was enabled and logged in with a username and password, the system will automatically link their account when they next sign in using an IdP.