Decision Management & Intelligence (ODM, DI)

Decision Management & Intelligence (ODM, DI)

Connect with experts and peers to elevate technical expertise, solve problems and share insights


#Data
#Data
#Businessautomation
 View Only
Back to discussions
Expand all | Collapse all

Secure access to ODM through Keycloak's IAM solution

  • 1.  Secure access to ODM through Keycloak's IAM solution

    Posted Tue November 15, 2022 02:17 PM
    Hi all,

    I need to secure access to ODM through Keycloak's IAM solution. The use case is very simple. In Keycloak, I have created the ODM Realm and an OpenID Connect Client. In this Realm, I have created the group groupA, and inside the group, I have added the user user1. There is no IAM federation in LDAP. In the ODM Realm there is only one user, user1, who belongs to groupA.
    When I access the Decision Center console URL, it redirects me to the Keycloak login screen. I login with user1 and I access to the Decision Center console with rtsUser permissions (default permissions).
    Does anyone know how I have to configure the webSecurity.xml file to map the ODM authentication group rtsAdministrators to groupA? I have followed the steps in the documentation, but it is very confusing and I can't get it.

    Thanks and best regards.

    ------------------------------
    Charo Álvarez Martínez
    Automation Architect
    DECIDE
    Madrid
    ------------------------------


  • 2.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Wed November 16, 2022 01:48 AM

    Hello Maria,

    You will find more details and templates (along with a script to update these templates with your Keycloak info) on https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#create-secrets-to-configure-odm-with-keycloak.

    Regards,
    Pierre-Yves



    ------------------------------
    Pierre-Yves Lochou
    ------------------------------



  • 3.  RE: Secure access to ODM through Keycloak's IAM solution
    Best Answer

    Posted Wed November 16, 2022 02:50 AM
    Edited by Maria del Rosario Alvarez Martinez Wed November 16, 2022 01:54 PM
    Hello Maria,

    as Pierre-Yves explained, you can have a look at https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#create-secrets-to-configure-odm-with-keycloak. to see if it fits your need.
    Just to sum up, to manage the ODM J2EE roles with Keycloak, we are using Keycloak roles and not groups.
    So, as you will read, the best way to do is to follow https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#manage-roles-groups-and-users :
    - create a one to one association between ODM J2EE roles (rtsAdministrators,rtsConfigManagers,rtsInstallers,rtsUsers,resAdministrators,resMonitors,resDeployers,resExecutors) and Keycloak realm roles
    - assign the wanted realm roles (at least rtsAdministrators) to your groupA
    - check the groups information is well imported in the access token by adding the groups "predefined mapper" to the roles "client scope" (https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#set-up-the-client)

    We provide some scripts allowing to check the needed information are inside the token.

    And, we provide a webSecurity.xml template that is using all these Keycloak roles https://github.com/DecisionsDev/odm-docker-kubernetes/blob/vnext-release/authentication/Keycloak/templates/webSecurity.xml

    <!-- group mapping to authorize Keycloak users that have the relevant roles -->
<variable name="odm.rtsAdministrators.group1" value="group:KEYCLOAK_SERVER_URL/rtsAdministrators"/>
<variable name="odm.rtsInstallers.group1" value="group:KEYCLOAK_SERVER_URL/rtsInstallers"/>
<variable name="odm.rtsConfigManagers.group1" value="group:KEYCLOAK_SERVER_URL/rtsConfigManagers"/>
<variable name="odm.resAdministrators.group1" value="group:KEYCLOAK_SERVER_URL/resAdministrators"/>
<variable name="odm.resDeployers.group1" value="group:KEYCLOAK_SERVER_URL/resDeployers"/>
<variable name="odm.resMonitors.group1" value="group:KEYCLOAK_SERVER_URL/resMonitors"/>
<variable name="odm.resExecutors.group1" value="group:KEYCLOAK_SERVER_URL/resExecutors"/>

    By doing this way, you don't have to modify the webSecurity.xml anymore during the application life if a new Keycloak group is created or removed.
    Just editing groups and their roles assignment in the Keycloak admin console is automatically taken into account by ODM.

    As this page is quite new, don 't hesitate to provide your feedback.
    When finished, you will be able to retrieve it on  the master branch below https://github.com/DecisionsDev/odm-docker-kubernetes/tree/master/authentication
    Hope this helps

    ------------------------------
    Mathias Mouly
    ------------------------------



  • 4.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Wed November 16, 2022 01:56 PM
    Hello, 

    The page is wonderful!
    I followed the steps and it worked perfectly.
    Pierre-Yves, Mathias, thank you very much.

    Best regards.

    ------------------------------
    Charo Álvarez Martínez
    Automation Architect
    DECIDE
    Madrid
    ------------------------------

    Original Message


  • 5.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Thu November 17, 2022 02:22 AM
    Edited by LAURENT GRATEAU Thu November 17, 2022 02:24 AM
    Just a few comment, the https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#create-secrets-to-configure-odm-with-keycloack is in draft in temporary branch. This page will be merged in december in the master branch and we will probably remove the vnext-release github branch.

    ------------------------------
    LAURENT GRATEAU
    ------------------------------

    Original Message


  • 6.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Thu November 17, 2022 03:17 AM
    Many thanks Maria for the feedback.
    If there is no sensitive data, perhaps could you provide some information about the general context as we are collecting information to check we are aligned with business needs ?
    Is it a prospect evaluation or an existing customer ?
    Can you provide the customer name (if not, the industry, e-government ? ) ?
    As it seems to be ODM on k8s. What is the platform (OCP, AKS, EKS, ...) ? 

    BR,

    ------------------------------
    Mathias Mouly
    ------------------------------

    Original Message


  • 7.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Thu November 17, 2022 12:30 PM
    Hi Mathias,

    It is an existing constumer. We want to secure access to the Decision Center console through Keycloak to all those business users who author the rules for referral of diagnostic tests to specialized medical centers.
    I can't give the name of the customer, but it belongs to the health sector.
    The platform is OCP.

    Best regards.

    ------------------------------
    Charo Álvarez Martínez
    Automation Architect
    DECIDE
    Madrid
    ------------------------------

    Original Message


  • 8.  RE: Secure access to ODM through Keycloak's IAM solution

    Posted Fri November 18, 2022 03:12 AM
    Many Thanks Maria for the reply

    ------------------------------
    Mathias Mouly
    ------------------------------

    Original Message


Related Content