Page tree
Skip to end of metadata
Go to start of metadata

Summary: this page explains how to login to Keycloak and configure your authentication method and user roles.

Introduction

Before you start using AIP Console, you will need to configure your authentication method and assign roles to users. To do so, connect to Keycloak which manages authentication:

http://localhost:8086
or
http://<ip_address>:8086
or
http://<host_name>:8086

Click the Administration Console option:

The default login credentials specified in the docker-compose.yml file are admin/admin - use these unless you have modified them as described in AIP Console - front-end installation:

These credentials are specific to Keycloak and not AIP Console. You can change the default password if required, post installation, using the following URL:

http://localhost:8086/auth/realms/master/account/#/security/signingin

When logged in, you now have a choice depending on your how you want to authenticate:

Local authentication managed by Keycloak

Local authentication (users defined directly in Keycloak) is enabled by default. CAST provides a predefined local user called "admin" with the password "admin" and the "admin" and "dashboard_admin" roles. This user has access to everything (all applications, Admin Center, Dashboards etc.). You can use this user without any further changes, however, CAST highly recommends changing the password for this user. To do so:

Click Users > View all users:

Click to enlarge

Click Edit next to the predefined admin user:

Click the Credentials tab and set a password for this predefined admin user:

Click to enlarge

If you do not need to configure any other users, this is all you need to do and you can login with this user as explained in Initial login to AIP Console - v. 2.x.

Add an additional local user

If you need to add any additional local users, click Users > Add user:

Click to enlarge

Fill in the required fields - in the example below, a new user called "new_user" has been added:

Click to enlarge

Now click the Credentials tab and set a password for your new user:

Click to enlarge

Now click the Role Mappings tab where you can to assign roles to the user:

  • either the admin or application_owner role to access AIP Console (admin grants full rights to everything, application_owner grants only rights to access applications and not the Admin Center).
  • any one of the Dashboard roles as discussed here:
    • dashboards_admin
    • dashboards_exclusion_manager
    • dashboards_quality_automation_manager
    • dashboards_quality_manager

Click to enlarge

That's it, the configuration is complete for local authentication.

LDAP authentication

To authenticate in AIP Console with your on premises LDAP identity provider, click the User Federation option on the left then choose the provider in the dropdown (LDAP):

Click to enlarge

Fill in the fields as instructed (https://www.keycloak.org/docs/latest/server_admin/#_ldap):

Click to enlarge

Use the Test connection button to test the configuration, and if successful, click Save. When Save has been clicked, additional buttons will appear: click Synchronize all users to import all the users to the Keycloak database:

To synchronize groups an LDAP mapper for the LDAP provider is required. When created, click Sync LDAP Groups to Keycloak and the groups will be imported:

Click to enlarge

That's it, the configuration is complete for LDAP and you can now log in with this user as explained in Initial login to AIP Console - v. 2.x.

By default users/groups from LDAP will not have any roles assigned to them, so at least one LDAP user (or group) will need to be granted the ADMIN and dashboards_admin roles (this will grant the global AIP Console admin role and the global dashboards role (access all applications)) via the Keycloak role mappings section in the first instance:

Click to enlarge

Any additional users/groups that need to log in to AIP Console or access CAST Dashboards will also need to be granted appropriate access roles:

  • either the admin or application_owner role to access AIP Console (admin grants full rights to everything, application_owner grants only rights to access applications and not the Admin Center).
  • any one of the Dashboard roles as discussed here:
    • dashboards_admin
    • dashboards_exclusion_manager
    • dashboards_quality_automation_manager
    • dashboards_quality_manager

SAML authentication

To authenticate in AIP Console with your on premises SAML identity provider, click the Identity Providers option on the left then choose SAML 2.0 in the dropdown:

Click to enlarge

Enter the URL of the IDP metadata or import the metadata.xml file manually:

Click to enlarge

Keycloak will then automatically retrieve the information from metadata and display it in the UI:

Ensure the Backchannel Logout option is enabled if you require backend logout.

When fully configured, the login page for Keycloak will show an additional login button (highlighted below) with the alias defined when adding SAML as an identity provider:

When the "login with saml" button is clicked, you will be redirected to the SAML login page, and then when a successful login has occurred, the user will be redirected direct to the AIP Console home page.

By default users/groups from SAML will not have any roles assigned to them, so at least one SAML user (or group) will need to be granted the ADMIN and dashboards_admin roles (this will grant the global AIP Console admin role and the global dashboards role (access all applications)) via the Keycloak role mappings section in the first instance:

Click to enlarge

Any additional users/groups that need to log in to AIP Console or access CAST Dashboards will also need to be granted appropriate access roles:

  • either the admin or application_owner role to access AIP Console (admin grants full rights to everything, application_owner grants only rights to access applications and not the Admin Center).
  • any one of the Dashboard roles as discussed here:
    • dashboards_admin
    • dashboards_exclusion_manager
    • dashboards_quality_automation_manager
    • dashboards_quality_manager
  • No labels