Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »


Overview

YOUnite supports two authentication mechanisms: SAML and Open ID Connect. This guide shows how to set up Keycloak with Open ID Connect to work with Open MDM. This document does not detail how to install Keycloak itself, just how to configure it to work with YOUnite.

Here's a pretty lousy diagram of the flow. 

Configure the Realm

You can use an existing realm or create a new realm in Keycloak. For this example we created a realm called "openmdm".

Configure the Client

Under "Clients", click "add client" and choose "openid-connect" as the client protocol


On the next page, set up your client like so. Make sure to set the following:

  1. Access Type = confidential
  2. Standard Flow Enable = On
  3. Disable all other authentication flows
  4. Valid Redirect URLs. These tell the server where it's allowed to redirect to. The most important is the /api/openid/code endpoint as this is the API endpoint that validates the code sent by Keycloak.
    1. (younite url)
    2. (younite url)/dashboard
    3. (younite url)/api/openid/code

Click save after you've configured these options. Once you hit save, the "Credentials" tab will show up if it was not present before. Click on that tab to retrieve the client secret. You will need this for later.


Configure users

Next step is to create users. This example creates a user to correspond to the "MDM admin" user with the email address mdmadmin@democollege.edu

By default the new user won't have a password, reset it like so:


Configuring YOUnite

Now that Keycloak is configured, we need to set up the YOUnite API with information about the Open ID Connect server. This configuration is done either in application.properties or via environment variables. The example below are values in application-dev.properties:

Descriptions of each property are below in the comments:

API Configuration

#
# Open ID Connection information. Only required if this authentication method is going to be used.
#
# openmdm.api.url = URL to the public endpoint for the Open MDM API. Required for a redirect after authentication is completed.
# oidc.discovery.document.url = the URL of the discovery document with Open ID Configuration
# oidc.client.id = Client ID
# oidc.client.secret = Client Secret
# oidc.scope = scope to pass to the auth server. this typically contains openid and the sso attribute we need, ie "openid email".
# oidc.sso.attribute = attribute to map to SSO ID in the system, for example email. this should be specified in the scope above.
# oidc.issuer = expected value for "issuer" of the Open ID token. optional, but if specified will be validated.
# oidc.successful.login.url = URL to send the user to when they successfully authenticate (such as the UI dashboard)


# local keycloak configuration
openmdm.api.url=https://openmdm.dev.ccctechcenter.org/api
oidc.discovery.document.url=http://localhost:8080/auth/realms/openmdm/.well-known/openid-configuration
oidc.client.id=openmdm-client
oidc.client.secret=d50e1d6c-ccec-40e8-84bd-b6b1df0d2d17
oidc.scope=openid email
oidc.sso.attribute=email
oidc.issuer=http://localhost:8080/auth/realms/openmdm
oidc.successful.login.url=https://openmdm.dev.ccctechcenter.org/dashboard


UI Configuration

The SSO URL will need to be updated on the UI to direct to the new authentication which is /api/openid/login

For example, in the docker-compose file for youniteui the updated parameter would look like:

- SSO_APP_URL=https:\/\/openmdm.dev.ccctechcenter.org\/api\/openid\/login

  • No labels