The Q&A is intended as a knowledgebase for censhare partners and project managers on topics around censhare WP, external authentication, and Keycloak.
Benefits of censhare WP
Performance improvements for the censhare web client. censhare WP (webpacked) improves the performance of the web-based censhare client. The webpack technology reduces the communication and traffic between the web browser and the censhare Server.
Use of external authentication: censhare now provides an external authentication solution that can integrate existing authentication methods such as LDAP or SAML. As an external authentication solution, censhare uses Keycloak. Keycloak is an open-source identity and access management solution.
For censhare, Keycloak can be used in connection with censhare WP for the webbased client, and with the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.
Keycloak is mandatory for the webbased client, censhare WP.
For more information, see the landing page
For more information see this article [LINK:4906536]
censhare WP naming
We refer to censhareWP as a new web-based client. Not as a new product. We use the following naming:
censhare WP (webpacked)
webpacked client
censhare WP components
Static Resource Server (SRS) - The SRS is used to deliver Webpack bundles to the web browser. Webpack bundles contain static resources such as JavaScript files.
Cloud Gateway - The Cloud Gateway is the main entry point for the web browser. It routes the requests to the Static Resource Server, the censhare Server, or Keycloak.
Webpack - Webpack is a module bundler that reduces load and traffic between the censhare Server and the clients. To create bundles, Webpack processes the application and maps all required modules of a project and their dependencies. All files are packed into one or more bundles. In production systems, it also uses minification and removes unused code. The Webpack bundles are then once served to the web browser. This reduces the server load and also improves browser performance.
censhare Server - The censhare Server is the application server to provide the requested data to the web browser. The censhare Server can be used with the new censhare WP, and with censhare Web and native censhare clients as before.
For more information, see
For more information see this article [LINK:4906546]
Keycloak integration
Authentication server (Keycloak) - Keycloak is an open-source identity and access management solution. Keycloak is used to integrate external authentication methods such as LDAP or SAML. For censhare, Keycloak can be used in connection with censhare WP for the webbased client, or for the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.
To use Keycloak with censhare, the censhare clients must be configured on the Keycloak server. Customers' organizations already using Keycloak can use their existing Keycloak server instance.
For more information see:
For more information see this article [LINK:4906536]
.For more information, see this Set up Keycloak server for censhare
For more information, see this Developer documentation on Keycloak service (internal)
Keycloak naming
We speak of external authentication. Keycloak is an open-source solution we provide for external authentication.
We do not speak of standard authentication in this context.
Is Google Cloud AI a component of censhare WP?
Google Cloud AI service - This service is used to send requests from the censhare Server to analyze texts, images, or videos to Google Cloud AI. The service can be used with censhare Web or censhare WP. When setting up censhare WP, the Google Cloud AI service can be installed during this process as well. It is an optional component.
For more information, see
For more information see this article [LINK:4906513]
Prospects
Questions related to awareness, research, and consideration touchpoints in the customer journey.
Can I use censhare WP already with a new customer or prospect?
Answer:
As long as you, as a Business Unit or partner, are in a phase of building trust with a customer we strongly recommend that customers use the stable censhare Web instead of censhare WP as beta version.
When will the censhare WP Beta phase end?
Answer PdM:
Unfortunately, at this moment, we cannot tell for sure. We defined a six-month beta phase of active usage. Here we have a high dependency to ensure that there are enough customers actively using and testing the beta version. At the moment we have a few customers interested to be beta testers but no confirmation yet.
Deployment - Installation
For more information on the setup of censhare WP, see
For more information see this article [LINK:4907446]
Where can I find the RPM downloads for installation?
You can download the RPM packages from the following source:
https://rpm.censhare.com/censhare-release-rpm/stable/censhare/2020/1/
Run the yum install command from a terminal window.
For more information, see
For more information, see this Install censhare WP
.How do I install censhare Server for the censhare WP services?
If you do not have censare Server installed already, you install it as a separate RPM package. The package censhare Server can be downloaded from the central censhare RPM repositories.
Is a separate RPM for Keycloak provided or how should customers install Keycloak?
ANSWER:
If necessary, customers can install Keycloak separately. There is an RPM for Keycloak that could be installed from our repositories. This does not have any dependency, so customers could optionally run yum install keycloak-9.0.0 with our RPM repositories.
If Keycloak is already in place in an organization, this instance can be used for external authentication with censhare.
Does the Keycloak server need to be installed on a separate server?
ANSWER:
It is not required to have a separate server just for Keycloak. Keycloak can be installed on the same server as the censhare Server. If you have a Keycloak instance already running, or for other reasons, Keycloak can be installed on a separate server than the censhare Server.
What are the system requirements for Keycloak?
ANSWER:
The Keycloak server requires at least 1GB of RAM. An external PostgreSQL database is also required. I can be same as the database for the censhare Server.
For further details, see the
For more information, see this censhare WP install & configure
.Does Keycloak require to install dedicated censhare Clients?
ANSWER:
This depends which Client the partner has in mind here. There are these scenarios:
Keycloak and censhare Web: A separate client, censhare WP, needs to be installed to use external authentication with Keycloak.
Keycloak and censhare Admin or censhare Client: The usual censhare Client and the censhare Admin Client can be used for external authentication with Keycloak.
Can I use censhare Web and censhare WP in parallel
Answer:
censhare Web and censhare WP can be used in parallel. In this use case, some users log in to censhare Web. And some users log in to censhare WP, using Keycloak. These users will enter their credentials in the Keycloak login screen.
Configuration use cases
Is there a single integration with Keycloak that is shared by both Java client and web client?
Will the same keycloak authentication approach be followed for the Web Client, or will the Web Client continue to use the same existing SAML implementation? In other words, must there be 2 integrations (1 for local client and 1 for web client, each with attribute mapping, etc? )
ANSWER:
You can use the same Keycloak for the Java- and the web-based client. For the web-based client, censhare WP is required. In Keycloak, two clients must be configured: one for the Java-based censhare Client and the censhare Admin Client, and one for the web client, censhare WP.
For further information, see
For more information see this article [LINK:4899913]
or the internal developer documentation,For more information, see this Keycloak service
.Authentication use cases
Can I use Keycloak with other authentication methods?
ANSWER:
Yes. Keycloak can be used with other authentication methods, such as SAML or LDAP.
Can I use censhare as SSO Identity Provider with Keycloak?
For example, users should be logged into censhare and single-signed-on into an external web portal using censhare as identity broker. So users are not prompted for their credentials when logging in to the external web portal.
Answer:
In this scenario, the censhare user logging in to censhare has to authenticate through Keycloak. The same applies to the external web portal, where the user has to use the same authentication. So far, we do not have any experience in this scenario, and cannot advise on it.
There might be possible solutions with SAML or Kerberos in combination with Keycloak.
The SAML solution could look like this: Depending on the configuration, SSO could be used. It might be possible to configure Keycloak with SAML for authentication on the censhare server and the external web portal. It might be necessary to redirect the "external web portal" to the SAML site, which does not ask for user name and password, but redirects back to the "external web portal" with the already authenticated user. SAML can be used with Microsoft AD FS, Octa or Google G Suite, for example.
For a solution using Kerberos with Keycloak, we currently don't have experience and cannot advise on it.
Can I use Keycloak with censhare Web?
You can use the censhare webbased client with Keycloak. However, that requires that you install the webpacked client variant, censhare WP, instead of censhare Web.
Operation
How to collect log information?
Log files for all related services can be found at this location:
/var/log/censer
Sizing: how many users can work with one censhare WP before I should install a second one?
Currently, we do not have any experience with this. We will update this answer as soon as we have relevant test results.
Known issues & workarounds
Known issue: censhare users cannot be updated if they are logged in via Keycloak
Cause: The Sync party mapping was only used when creating a user, but not when updating a user.
Fix: On censhare Server, the Sync party mapping is now used for every login. censhare users can be created and updated when logged in via Keycloak to the censhare Client and censhare webbased Client.
The fix will be released with censhare 2020.1.3.
Workaround: censhare Admin Client does not save my edits on the Keycloak service configuration
Workaround:
Type some text into the Comment field of the configuration dialog. Click OK. Make your edits. Click OK again.
Your edits are now saved. You can update the server configuration.
Contacts
If you, as a partner or BU manager have customers who want to be part of the Beta program, please contact:
censhare Product Management
Or create a support ticket.