Access management via Keycloak
Keycloak is an open source solution for identity and access management. Keycloak also acts as an identity broker and supports user accounts from social networks. In order to use Keycloak for user logon, Keycloak must be configured on the server side and a Keycloak client must be installed.
Keycloak uses role-based access rights. In Keycloak, you define and assign roles and users. The Keycloak roles are then assigned to the ELIAS roles Info, User and Admin.
Configuring Keycloak
-
In the Keycloak administration console, create a realm for your environment.
-
Create your Keycloak client.
-
Within your client, create roles and users. Assign a role to each user.
Only Keycloak roles (and no Keycloak users) can be assigned in ELIAS. To make distinctions in access rights or the assigned container, define a separate Keycloak role for each combination.
-
From your Keycloak client, on the Installation tab, download the Keycloak configuration file as Keycloak OIDC JSON.
-
Add the Keycloak configuration file keycloak.json to your ELIAS installation directory (Example: C:\Program Files\Unicon\Scout\ELIAS).
Alternatively, save the file in a different directory that you specify during the ELIAS installation. The Keycloak configuration file will then be copied into the installation directory as keycloak.json.
Configuring ELIAS for Keycloak after installation
- Copy the Keycloak configuratio file keycloak.json manually into the ELIAS installation directory.
- In the ELIAS settings > Authentication, select the option Use Keycloak logon.
Installing certificates for HTTPS connection
|
Requires To allow Keycloak logon via a secured Keycloak server, web server certificates are required. |
-
In the ELIAS installation directory, create a new directory named certificates.
-
Copy your web server certificates (intermediate and root) into the new directory. The certificate files can be of type .pem or .crt
-
Additionally copy the certificates into your browser's certificate store.