Keycloak can be configured with the censhare standard login. Keycloak verifies the user credentials and authenticates the users. Users can log into censhare Web, the censhare Client, and censhare Admin Client.

Introduction

censhare requires external authentication via Keycloak. The censhare standard authentication refers to the authentication that uses user data from the censhare master data. Technically, this is configured in censhare as external authentication, because Keycloak serves as a gatekeeper and verifies the username/password externally, before passing the user to the censhare server, where the required and optional user attributes are taken from the Master data/Users table.

To use the external authentication via Keycloak with censhare, a dedicated authentication server is required. The user authentication is handled via this dedicated authentication server. Keycloak is used to log in to censhare Web, the censhare Client, and the censhare Admin Client. In this use case, Keycloak does not serve as an identity broker between censhare Server and an identity provider, but as a gatekeeper to the censhare Server.

On the Keycloak server, the censhare realm contains the clients and respective configurations that handle the user authentication to censhare Web and the censhare Clients. In this setup, Keycloak only verifies the user identity (user name and password) and passes the user to the censhare Server. The user profile (default domain and default role, groups, additional domains and roles) are managed as before in the master data. No external user attributes are handled.

If you already use a Keycloak server in your organizational network, you can add the censhare realm to this service, and do not have to set up a new Keycloak instance. Otherwise, you must install and set up Keycloak first, before you proceed with this configuration.

Authentication schema via Keycloak with censhare standard login

Using SAML,  LDAP, etc. authentication with Keycloak

It is still possible to use SAML and LDAP login with Keycloak in censhare WP. Starting from the version 2021.2.x, you need to use Authorization mapper for this. 

Keycloak can also be used with other identity providers. However, an exact setup needs to be discussed with your project manager. 

Using Multi-factor authentication (MFA) with Keycloak

MFA needs to be set up in Keycloak. This configuration is not censhare-specific. For this reason, please feel free to check the documentation provided by Keycloak itself or other resources.