How to set up the Keycloak Service using the censhare Admin Client.

Purpose

Keycloak Service is a part of the censhare Server to allow the exchange of user data (login data and attributes) between the server and Keycloak.

Prerequisites

Before you can set up the Keycloak Service, you must install and configure the following:

Configuration

The service configuration contains two setups. The Authentication server setup configures the Web Client access, the Authentication credentials for the native client setup configures the censhare Client, censhare Admin Client, censhare Service Client, and censhare Render Client access. An example of this client configuration can be downloaded from here.

Configure the service in the censhare Admin Client

  1. Log in to the Admin Client.
  2. Go to Configuration/Services/Keycloak admin client service.
  3. Configure the service in the censhare Admin Client:
  4. Base URL: Enter the complete hostname of the Keycloak server. Make sure to add the certificate for this host to the censhare Server truststore. Keycloak must be accessible from censhare-Server through this URL. If the censhare Server is installed inside of Kubernetes, you can use the service name instead. For the native client setup, the base URL must contain the Keycloak URL that is accessible from any native Client eligible network location (i.e. the customer corporate network).
  5. Realm name: Default is censhare. If you are not sure, check the realm name in the Keycloak admin console.
  6. Admin access user name: The system user retrieves the data from Keycloak.
  7. Admin access user password: The password of the system user.
  8. Keycloak OAuth client id: The client ID from the Keycloak client. Note that you need two separate clients for the Web Client access and the native client access.
  9. Keycloak OAuth client secret: The secret of the respective client. The secret is generated automatically and can be found in the client settings in the Credentials tab.

Configure the Keycloak clients

  1. Log in to the Keycloak Admin Console.
  2. Select the censhare realm, go to Clients and select the desired client. The default names are censhare5 for the Web Client and desktop-app for the native desktop clients. Note: This is a default setting and can be skipped from now on.
  3. In the Settings tab, set Direct Access Grants Enabled to On. This setting allows the Keycloak service to retrieve data from Keycloak. For example, to get a list of users.
  4. Go to Users and click View all users.
  5. If the Keycloak system user that you configured in the Keycloak service in the censhare Admin Client does not exist, create it:
    • Set a password in the Credentials tab.
    • Switch Temporary to Off.
    • Click Save.
    • Go to the Role Mappings tab of the user.
    • In the Client Roles drop-down, select realm-management.
    • In the Available Roles field, select all the roles and click Add selected.
  6. Verify the login either from a censhare Client or from censhare Web: On login, you are forwarded to the Keycloak login page.

Last Updated: 06 April 2020