The Q&A is intended as a knowledgebase for censhare partners and project managers on topics around censhare WP, external authentication, and Keycloak. |
Performance improvements for the censhare web client. censhare WP (webpacked) improves the performance of the web-based censhare client. The webpack technology reduces the communication and traffic between the web browser and the censhare Server.
Use of external authentication: censhare now provides an external authentication solution that can integrate existing authentication methods such as LDAP or SAML. As an external authentication solution, censhare uses Keycloak. Keycloak is an open-source identity and access management solution.
For censhare, Keycloak can be used in connection with censhare WP for the webbased client, and with the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.
Keycloak is mandatory for the webbased client, censhare WP.
We refer to censhareWP as a new web-based client. Not as a new product. We use the following naming:
censhare WP (webpacked)
webpacked client
Static Resource Server (SRS) - The SRS is used to deliver Webpack bundles to the web browser. Webpack bundles contain static resources such as JavaScript files.
Cloud Gateway - The Cloud Gateway is the main entry point for the web browser. It routes the requests to the Static Resource Server, the censhare Server, or Keycloak.
Webpack - Webpack is a module bundler that reduces load and traffic between the censhare Server and the clients. To create bundles, Webpack processes the application and maps all required modules of a project and their dependencies. All files are packed into one or more bundles. In production systems, it also uses minification and removes unused code. The Webpack bundles are then once served to the web browser. This reduces the server load and also improves browser performance.
censhare Server - The censhare Server is the application server to provide the requested data to the web browser. The censhare Server can be used with the new censhare WP, and with censhare Web and native censhare clients as before.
Authentication server (Keycloak) - Keycloak is an open-source identity and access management solution. Keycloak is used to integrate external authentication methods such as LDAP or SAML. For censhare, Keycloak can be used in connection with censhare WP for the webbased client, or for the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.
To use Keycloak with censhare, the censhare clients must be configured on the Keycloak server. Customers' organizations already using Keycloak can use their existing Keycloak server instance.
We speak of external authentication. Keycloak is an open-source solution we provide for external authentication.
We do not speak of standard authentication in this context.
Google Cloud AI service - This service is used to send requests from the censhare Server to analyze texts, images, or videos to Google Cloud AI. The service can be used with censhare Web or censhare WP. When setting up censhare WP, the Google Cloud AI service can be installed during this process as well. It is an optional component.
Questions related to awareness, research, and consideration touchpoints in the customer journey.
Answer:
As long as you, as a Business Unit or partner, are in a phase of building trust with a customer we strongly recommend that customers use the stable censhare Web instead of censhare WP as beta version.
Answer PdM:
Unfortunately, at this moment, we cannot tell for sure. We defined a six-month beta phase of active usage. Here we have a high dependency to ensure that there are enough customers actively using and testing the beta version. At the moment we have a few customers interested to be beta testers but no confirmation yet.
You can download the RPM packages from the following source:
https://rpm.censhare.com/censhare-release-rpm/stable/censhare/2020/1/
Run the yum install command from a terminal window.
If you do not have censare Server installed already, you install it as a separate RPM package. The package censhare Server can be downloaded from the central censhare RPM repositories.
ANSWER:
If necessary, customers can install Keycloak separately. There is an RPM for Keycloak that could be installed from our repositories. This does not have any dependency, so customers could optionally run yum install keycloak-9.0.0 with our RPM repositories.
If Keycloak is already in place in an organization, this instance can be used for external authentication with censhare.
ANSWER:
It is not required to have a separate server just for Keycloak. Keycloak can be installed on the same server as the censhare Server. If you have a Keycloak instance already running, or for other reasons, Keycloak can be installed on a separate server than the censhare Server.
ANSWER:
The Keycloak server requires at least 1GB of RAM. An external PostgreSQL database is also required. It can be the same as the database for the censhare Server.
ANSWER:
This depends on which Client the partner has in mind here. There are these scenarios:
Keycloak and censhare Web: A separate client, censhare WP, needs to be installed to use external authentication with Keycloak.
Keycloak and censhare Admin or censhare Client: The usual censhare Client and the censhare Admin Client can be used for external authentication with Keycloak.
Answer:
censhare Web and censhare WP can be used in parallel. In this case, some users log in to censhare Web. And some users log in to censhare WP, using Keycloak. These users enter their credentials on the Keycloak login screen.
Will the same keycloak authentication approach be followed for the Web Client, or will the Web Client continue to use the same existing SAML implementation? In other words, must there be 2 integrations (1 for local client and 1 for the web client, each with attribute mapping, etc? )
ANSWER:
You can use the same Keycloak for the Java- and the web-based client. For the web-based client, censhare WP is required. In Keycloak, two clients must be configured: one for the Java-based censhare Client and the censhare Admin Client, and one for the web client, censhare WP.
ANSWER:
Yes. Keycloak can be used with other authentication methods, such as SAML or LDAP.
For example, users should be logged in to censhare and single-signed-on into an external web portal using censhare as an identity broker. So users are not prompted for their credentials when logging in to the external web portal.
Answer:
In this scenario, the censhare user logging in to censhare has to authenticate through Keycloak. The same applies to the external web portal, where the user has to use the same authentication. So far, we do not have any experience in this scenario, and cannot advise on it.
There might be possible solutions with SAML or Kerberos in combination with Keycloak.
The SAML solution could look like this: Depending on the configuration, SSO could be used. It might be possible to configure Keycloak with SAML for authentication on the censhare server and the external web portal. It might be necessary to redirect the "external web portal" to the SAML site, which does not ask for user name and password, but redirects back to the "external web portal" with the already authenticated user. SAML can be used with Microsoft AD FS, Octa, or Google G Suite, for example.
For a solution using Kerberos with Keycloak, we currently don't have experience and cannot advise on it.
You can use the censhare webbased client with Keycloak. However, that requires that you install the webpacked client variant, censhare WP, instead of censhare Web.
Log files for all related services can be found at this location:
/var/log/censer
Currently, we do not have any experience with this. We will update this answer as soon as we have relevant test results.
Cause: The Sync party mapping was only used when creating a user, but not when updating a user.
Fix: On censhare Server, the Sync party mapping is now used for every login. censhare users can be created and updated when logged in via Keycloak to the censhare Client and censhare webbased Client.
The fix will be released with censhare 2020.1.3.
Workaround:
Type some text into the Comment field of the configuration dialog. Click OK. Make your edits. Click OK again.
Your edits are now saved. You can update the server configuration.
If you, as a partner or BU manager have customers who want to be part of the Beta program, please contact:
censhare Product Management
Or create a support ticket.
|