Versions Compared

Version Old Version 2 New Version Current
Changes made by

Ashima Agarwal

Ashima Agarwal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This assumes that you have a new Keycloak instance, and this guide is useful mostly for troubleshooting. Most of the time you will want the Quick Installation Guide.Getvisibility Reseller Keycloak Quick Installation Guide

Below are the steps involved in configuring Keycloak, and you may choose to skip the Optional steps based on your preferences:

...

Logging into Keycloak admin panel

The To log into Keycloak admin URL will consist of the following components:

...

The access protocol (E.g. http or https - probably https)

...

panel please access:

https://my-reseller.net

...

The service path (E.g. auth for Keycloak)

...

The keycloak admin path /admin/master/console

An example of the above might look something like this:

https:///auth/admin

Replace my-reseller.net/auth/admin/master/console with IP or domain name of the product.

Once you have entered the correct address for your cluster Keycloak instance following the above guidelines, you should be able to login to the Keycloak admin dashboard using the following details:

...

In Keycloak, a Realm is a top level authentication domain which contains an isolated authentication configuration.

A good way to imagine this is that each Keycloak Realm might each represent a different environment.

We need to create a Realm for managing our cluster authentication, please follow the steps below in order to do this:

...

Hover over the dropdown component in the top-left of the screen

...

...

This will bring up a menu, click on the button labelled Add realm

...

...

When the Add realm screen opens, enter the realm Name as gv and click Create

...

...

  1. In Gv Realm SettingsGeneral tab, enter your desired user-friendly reseller name into both the Display name and HTML Display name fields.

...

Note

Changes to “ Name “ field are not allowed and will result in product being rendered inoperable.

  1. Click the Save button to commit these changes to the Realm Settings.

Once the Realm is created, click on the Clients menu item on the left-side menu, this should load a list of authentication clients as seen below:

...

Configuring the Dashboard Client

A Client in Keycloak is used to encapsulate a Client authentication mechanism and configuration for a particular endpoint consumer (E.g. an API or a frontend)

  1. Click on the Clients menu item on the left-side menu, this should load a list of authentication clients as seen below:

...

  1. Click on the Create button in the top-right of the Clients list

...

  1. When the Add Client screen opens, enter the following information:

    1. Client ID as dashboard

    2. Client Protocol as openid-connect (also known as OIDC)

    3. Root URL as the current host name in your URL (e.g. https://my-reseller.net as in the example above)

...

4. Once the client has been created, it will open the new dashboard client configuration Settings tab


Complete the following information:

  1. (Optional) Name will be a human-readable identifier for the client. You can make this Dashboard

  2. (Optional) Description will be a human-understandable description of the client’s purpose. You can make this Dashboard authentication client

  3. Login Theme (not selected in the example image below) will be the theme created for your reseller (E.g. myreseller-theme) that you can select from the dropdown control

  4. Client Protocol should be automatically selected as openid-connect from our initial creation of the client

  5. Click/Set the Front Channel Logout to On, this will cause a new field to appear (Front-Channel Logout URL)

  6. Enter the Front-Channel Logout URL using the following formula: {current host name}/auth/realms/gv/protocol/openid-connect/logout
    E.g. https://my-reseller.net/auth/realms/gv/protocol/openid-connect/logout

  7. Update the Valid Redirect URIs to include the URL you have configured for the Dashboard UI (remember to click the + plus icon after entering the value).
    This will allow Keycloak to redirect back to your Dashboard UI after authenticating

  8. Update the Web Origins to include the URL you have configured for the Dashboard UI (remember to click the + plus icon after entering the value).
    This will allow CORS endpoint calls to Keycloak from the Dashboard UI.

    Image Modified

  9. Click the Save button at the bottom of the screen then return to the Clients list

Note

Ensure that Access Type is Public for frontend applications to access the authentication client

...

A Client in Keycloak is used to encapsulate a Client authentication mechanism and configuration for a particular endpoint consumer (E.g. an API or a frontend)

  1. Click on the Create button in the top-right of the Clients list

    Image Modified

  2. When the Add Client screen opens, enter the following information:

    1. Client ID as agent

    2. Client Protocol as openid-connect (also known as OIDC)

    3. Root URL as the current host name in your URL (e.g. https://my-reseller.net as in the example above)

      Image Modified

  3. Once the client has been created, it will open the new agent client configuration Settings tab
    Complete the following information:

    1. (Optional) Name will be a human-readable identifier for the client. You can make this Agent

    2. (Optional) Description will be a human-understandable description of the client’s purpose. You can make this Agent authentication client

    3. Client Protocol should be automatically selected as openid-connect from our initial creation of the client

    4. Update the Valid Redirect URIs to include any secure URL on the network. This is a required field and that is the only reason that it is needed.
      This field isn’t required for anything in particular for the agent client configuration.

      Image Modified

  4. Click the Save button at the bottom of the screen then return to the Clients list

Note

Ensure that Access Type is Public for frontend applications to access the authentication client

...

Steps #1 Keycloak authentication flow

  1. Go to AuthenticationFlow.

2. Choose Direct Grant, press the copy button and specify some name (i.e. X509 Direct Grant).

...

Please follow these simple steps in order to configure the default user for the Desktop agent.

  1. Click on the Users menu item on the left-side menu, this should load the Users list

    Image Modified

     

  2. Click the Add user button in the top right to open the Add user screen

    Image Modified

     

  3. It’s only necessary to complete two fields on this form; The Username field should contain agent, and the Email field should contain agent@gv.com:

    Image Modified

     

  4. Click the Save button at the bottom of the screen

(Required for Synergy) Setting up a default Agent user authentication

...

Please follow these steps to configure the LDAP User Federation:

  1. Click on the User Federation menu item on the left-side menu to access the User Federation configuration screen

    Image Modified

  2. Click on the Add provider… dropdown and select the item labelled ldap

    Image Modified

  3. Once ldap has been selected, it will open the Add user federation provider → Required Settings screen
    Complete the following information:

    1. Edit Mode should be READ_ONLY

    2. Vendor should be Active Directory

    3. Username LDAP attribute should be sAMAccountName

    4. Connection URL should be the accessible LDAP server address (E.g. ldap://127.0.0.1)

    5. Users DN should be the user location within the LDAP tree. This will follow a structure like DC=domain,DC=extension (E.g. DC=aws-domain,DC=com)

    6. Bind Type depends whether you want to only find users specified by Users DN (Option One Level) or whether to search the whole SubTree for Users (Option Subtree)

    7. Bind DN will be the username to use for the server access

    8. Bind Credential will be the password to use for the server access

  4. Click on the button Test connection to test the connection from the Keycloak instance to the LDAP server address.
    This should succeed quickly, and if it hangs, there is a possibility that the LDAP server is not allowing access from the Keycloak instance server address, or you will need to use the Public IP address of the LDAP server.

    Image Modified

  5. Click on the button Test authentication to test the LDAP Server authentication details.
    If this step fails or hangs, it’s likely that the credentials are not correct. If the previous step (Step 4) succeeded then this step should also succeed if the LDAP server credentials are correct.

    Image Modified

  6. Click on the Accordion option Sync Settings in order to set up automatic synchronization of users from the LDAP Active Directory to Keycloak
    Completed the following items:

    1. Click/Set Periodic Full Sync to On
      You can also select Periodic Changed Users Sync if you only wish to process the Active Directory user change deltas instead of resynchronizing everything again

    2. Change the Full Sync Period to a value (in seconds) that is appropriate for the customer (Default is 604800 seconds which equals 7 days)

      Image Modified


  7. Click the Save button at the bottom of the screen, this will change the state of the screen and more buttons will appear at the bottom of the screen.

Synchronizing the Users to Keycloak DB

In order to get the users into the Keycloak DB, we need to synchronize the users for the first time (before the automatic synchronization happens, if applicable).

This is one simple step:

  1. Click the button Synchronize all users in order to immediately fetch all of the LDAP Active Directory users and load them into the Keycloak instance DB

Info

Synchronizing all users may take some time, please be patient.

...