Keycloak

Axiomatics Services Manager (ASM) uses Keycloak for authentication and access management services in its implementation.

The configuration needed for the interaction between ASM and Keycloak is below.

Disclaimer

There are many features and options available in Keycloak. However, only settings and configurations explicitly mentioned in the Axiomatics Services Manager documentation are supported. Axiomatics assumes no responsibility or liability for the use of other configuration options.

For more information about Keycloak configuration options, please refer to the Keycloak documentationOpens in a new tab.

Manage users in Keycloak

During the installation of ASM, a Keycloak service is also installed, to serve as an authentication module.

Only a default administrative user is created automatically during the installation. All other users must be created and assigned a role in Keycloak, before they can log in to ASM.

Log in to Keycloak

1. Open a web browser window and go to:

   Default hostname

   https://localhost/auth if you are using the default hostname.

   Custom hostname

   Append /auth to the hostname you are using. For example, https://example.com/auth.

2. Open the Administration Console and log in using the following credentials:

   • username: admin

   • password: admin

   note

   This is a temporary admin account for initial Keycloak setup. Create your own admin account as described in the Keycloak docs: Server Administration GuideOpens in a new tab and delete the temporary admin account afterwards.

Create a user in Keycloak

All users, except the default administrative user, must be created and assigned a role in Keycloak before they can log in to ASM.

1. Make sure that the Services Manager (asm) realm is selected.

2. In the menu, under the Manage section, click Users.

3. Click Add User.

   The Create user page displays.

4. Enter a name in the Username field, which is required. The rest of the fields are optional.

   note

   The characters ':', '[', ']', '|', and '*' are not allowed in the username.

5. Click Create.

6. Switch to the Credentials tab and click Set password.

7. Use the Password and Password confirmation fields to set and confirm a new password.

8. Toggle the Temporary switch off and click Save.

9. Confirm your action by clicking Save password.

10. Assign a role to the newly created user as described in step 4 and beyond of the Map user roles section below.

Repeat for as many users you want to add to the system.

Map user roles

1. Make sure that the Services Manager (asm) realm is selected.
2. In the menu, under the Manage section, click Users.
3. Use the search field to find the user you wish to assign roles to.
4. Switch to the Role Mapping tab and click Assign role.
5. Select Filter by realm roles and check the roles you wish to assign to the user:
   • asm-admins
   • asm-users
   • domain-auditor
6. Click Assign.

The specified roles are assigned to the selected user.

note

All three roles listed above must be assigned in order for the administrator to have access to projects and the administration view. Respectively, for ASM users, it is recommended to have assigned the asm-users and domain-auditor roles.

Delete a user in Keycloak

1. Make sure that the Services Manager (asm) realm is selected.
2. In the menu, under the Manage section, click Users.
3. Search for the user you wish to delete or go through the list.
4. Click the three dots in the far right side of the user row and select Delete.
5. Confirm your action by clicking Delete.
6. Go to ASM and remove all of the user's project assignments and delete them from the list of users.

Configure Keycloak for ADS

To enforce authorization and project permissions, a mapper must be configured in Keycloak to map project permissions to claims when ADS is accessing a domain in the domain manager of ASM.

Most of these settings are created automatically during installation. However, a few configuration steps are necessary.

note

The following information assumes the system administrator has access to the Keycloak administration console. See Log in to Keycloak for the first time for first-time login instructions.

Regenerate a client secret

1. Log in to the Keycloak administration console and go to the Services Manager (asm) realm.
2. In the menu, under the Manage section, click Clients.
3. Find and click the ads Client ID on the table.
4. Switch to the Credentials tab.
5. Click Regenerate next to the Client secret field.

Copy the value of the Secret field to use it in the configuration of ADS. See ADS docs: Authentication using an authorization serverOpens in a new tab for more information.

Update the mapper for the namespaces claim

1. In the menu, under the Manage section, click Clients.

2. Find and click the ads Client ID on the table.

3. Switch to the Client scopes tab and click the ads-dedicated client scope.

4. Click the Namespaces mapper on the table.

5. In the Claim value field, list the namespaces that the client should have access to.

   tip

   In ASM, namespaces are equivalent to projects.

   Important

   The value should be a JSON Array of strings with the following format: ["namespace", "namespace2", "namespace3/etc"].

6. Click Save to save the mapper.

This concludes the configuration of the Keycloak client for ADS.

What's next?

Assign users to projects and adjust their permissions as described in the Users and projects topic.