Introduction

Before you start using Console, you will need to configure your authentication method and assign roles to users. To do so, connect to Keycloak which manages authentication:

http://localhost:8086
or
http://<ip_address>:8086
or
http://<host_name>:8086

Click the Administration Console option:

The default login credentials are admin/admin:

http://localhost:8086/auth/realms/master/account/#/security/signingin

When logged in, you now have a choice depending on your how you want to authenticate:

Local authentication managed by Keycloak

Local authentication (users defined directly in Keycloak) is enabled by default. CAST provides a predefined local user called "admin" with the password "admin" and the "admin" and "dashboard_admin" roles. This user has access to everything (all applications, Admin Center, Dashboards etc.). You can use this user without any further changes, however, CAST highly recommends changing the password for this user. To do so:

Click Users > View all users:

Click to enlarge

Click Edit next to the predefined admin user:

Click the Credentials tab and set a password for this predefined admin user:

Click to enlarge

If you do not need to configure any other users, this is all you need to do and you can login with this user as explained in Initial login to AIP Console - v. 2.x.

Add an additional local user

If you need to add any additional local users, click Users > Add user:

Click to enlarge

Fill in the required fields - in the example below, a new user called "new_user" has been added:

Click to enlarge

Now click the Credentials tab and set a password for your new user:

Click to enlarge

Now click the Role Mappings tab where you can assign roles to the user:

• either the admin or application_owner role to access Console (admin grants full rights to everything, application_owner grants only rights to access the user's own applications and not the Admin Center).
• any one of the Dashboard roles as discussed here:
  • dashboards_admin
  • dashboards_exclusion_manager
  • dashboards_quality_automation_manager
  • dashboards_quality_manager

Click to enlarge

That's it, the configuration is complete for local authentication.

LDAP authentication

To authenticate in Console with your on premises LDAP identity provider, click the User Federation option on the left then choose the provider in the dropdown (LDAP):

Click to enlarge

Fill in the fields as instructed (https://www.keycloak.org/docs/latest/server_admin/#_ldap):

Click to enlarge

Use the Test connection button to test the configuration, and if successful, click Save. When Save has been clicked, additional buttons will appear: click Synchronize all users to import all the users to the Keycloak database:

To synchronize groups an LDAP mapper for the LDAP provider is required. When created, click Sync LDAP Groups to Keycloak and the groups will be imported:

Click to enlarge

That's it, the configuration is complete for LDAP and you can now log in with this user as explained in Initial login to AIP Console - v. 2.x.

SAML authentication

To authenticate in Console with your on premises SAML identity provider, click the Identity Providers option on the left then choose SAML 2.0 in the dropdown:

Click to enlarge

Enter the URL of the IDP metadata or import the metadata.xml file manually:

Click to enlarge

Keycloak will then automatically retrieve the information from metadata and display it in the UI:

When fully configured, the login page for Keycloak will show an additional login button (highlighted below) with the alias defined when adding SAML as an identity provider:

When the "login with saml" button is clicked, you will be redirected to the SAML login page, and then when a successful login has occurred, the user will be redirected direct to the Console home page.