Hello Maria,
as Pierre-Yves explained, you can have a look at
https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#create-secrets-to-configure-odm-with-keycloak. to see if it fits your need.
Just to sum up, to manage the ODM J2EE roles with Keycloak, we are using Keycloak roles and not groups.
So, as you will read, the best way to do is to follow
https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#manage-roles-groups-and-users :
- create a one to one association between ODM J2EE roles (rtsAdministrators,
rtsConfigManagers,rtsInstallers,rtsUsers,resAdministrators,resMonitors,resDeployers,resExecutors) and Keycloak realm roles
- assign the wanted realm roles (at least rtsAdministrators) to your groupA
- check the groups information is well imported in the access token by adding the groups "predefined mapper" to the roles "client scope" (https://github.com/DecisionsDev/odm-docker-kubernetes/tree/vnext-release/authentication/Keycloak#set-up-the-client)
We provide some scripts allowing to check the needed information are inside the token.
And, we provide a webSecurity.xml template that is using all these Keycloak roles
https://github.com/DecisionsDev/odm-docker-kubernetes/blob/vnext-release/authentication/Keycloak/templates/webSecurity.xml
<!-- group mapping to authorize Keycloak users that have the relevant roles -->
<variable name="odm.rtsAdministrators.group1" value="group:KEYCLOAK_SERVER_URL/rtsAdministrators"/>
<variable name="odm.rtsInstallers.group1" value="group:KEYCLOAK_SERVER_URL/rtsInstallers"/>
<variable name="odm.rtsConfigManagers.group1" value="group:KEYCLOAK_SERVER_URL/rtsConfigManagers"/>
<variable name="odm.resAdministrators.group1" value="group:KEYCLOAK_SERVER_URL/resAdministrators"/>
<variable name="odm.resDeployers.group1" value="group:KEYCLOAK_SERVER_URL/resDeployers"/>
<variable name="odm.resMonitors.group1" value="group:KEYCLOAK_SERVER_URL/resMonitors"/>
<variable name="odm.resExecutors.group1" value="group:KEYCLOAK_SERVER_URL/resExecutors"/>
By doing this way, you don't have to modify the webSecurity.xml anymore during the application life if a new Keycloak group is created or removed.
Just editing groups and their roles assignment in the Keycloak admin console is automatically taken into account by ODM.
As this page is quite new, don 't hesitate to provide your feedback.
When finished, you will be able to retrieve it on the master branch below
https://github.com/DecisionsDev/odm-docker-kubernetes/tree/master/authenticationHope this helps
------------------------------
Mathias Mouly
------------------------------
Original Message:
Sent: Tue November 15, 2022 02:16 PM
From: Maria del Rosario Alvarez Martinez
Subject: Secure access to ODM through Keycloak's IAM solution
Hi all,
I need to secure access to ODM through Keycloak's IAM solution. The use case is very simple. In Keycloak, I have created the ODM Realm and an OpenID Connect Client. In this Realm, I have created the group groupA, and inside the group, I have added the user user1. There is no IAM federation in LDAP. In the ODM Realm there is only one user, user1, who belongs to groupA.
When I access the Decision Center console URL, it redirects me to the Keycloak login screen. I login with user1 and I access to the Decision Center console with rtsUser permissions (default permissions).
Does anyone know how I have to configure the webSecurity.xml file to map the ODM authentication group rtsAdministrators to groupA? I have followed the steps in the documentation, but it is very confusing and I can't get it.
Thanks and best regards.
------------------------------
Charo Álvarez Martínez
Automation Architect
DECIDE
Madrid
------------------------------