Skip to content

Configure the Identity Provider ???? Für aktuelles Produkt umarbeiten ????

SEAL Print Client authenticates a user via the OAuth 2.0 and the OpenID Connect protocol. For this, an identity provider is required.

With the standard installation, SEAL Systems provides the Keycloak identity provider. Other identity providers can be used. Keycloak serves as an interface to the existent user management e. g. Active Directory.

Configure the Identity Provider Server in SEAL Operator

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure

  2. In the exported file <filename>.yml, change the values in ID_PROVIDER_NAME and AUTH_ISSUER_URL to the server name <id_provider_server> of the identity provider. Use the fully-qualified domain name (FQDN) of the identity provider server.

    env:
  service:
    any:
      tag:
        any:
          ID_PROVIDER_NAME: https://<id_provider_server>:32769/auth/realms/SEAL

        operator-ui:
      tag:
        any:
          AUTH_ISSUER_URL: https://<id_provider_server>:32769/auth/realms/SEAL

  3. Save the file <filename>.yml and re-import it to Consul.

    operator config import <filename>.yml --insecure

Configure the Redirection URL in the Identity Provider

In the identity provider, you have to configure the URL for the redirection.

If Keycload is used as identity provider, execute the following steps for doing this:

  1. In your Web browser, open the Keycloak user interface, https://localhost:32769.

  2. Open the Administration Console.

  3. Log on with the pre-configured user admin and password SealAdmin1.

  4. Under Configure on the left, select Clients in order to open the client list.

  5. In the Client ID column, select seal-print-client.

  6. In Valid Redirect URIs, enter the URL with the same server name as used for ID_PROVIDER_NAME and AUTH_ISSUER_URL.

    Caution - lower case

    The server name in Valid Redirect URIs has to be specified in lower case.

  7. In Web Origins, enter the URL with the same server name as used for ID_PROVIDER_NAME and AUTH_ISSUER_URL.

  8. Save the settings.

Background Knowledge

JSON Web Token

The clients receive the user's identity encoded in a secure JSON Web Token (JWT), called an ID token. It is issued by the identity server such as Keycloak and obtained via the standard OAuth 2.0 code flow supporting Web applications.

For example, a JWT contains:

{
  "name": "hugo",
  "preferred_username": "Hugo",
  "given_name": "Hugo",
  "family_name": "",
  "email": "hugo@sealsystems.de",
  "iat": 1546860576,
  "exp": 1572780576,
  "iss": "http://<server_name>:32768/auth/realms/seal-operator",
  "sub": "hugos-id"
}

Relationship Between the Settings

The issuer property (iss) in the ID token is a unique name created by the identity provider. Its value is an arbitrary string which differs for each identity provider and has to be determined individually.

If Keycloak is used as identity provider, the value contains the URL via which the service can be accessed over the network. Therefore, the value shown in the example above will change if the service is accessed from a machine different from localhost.

This is important to know because, for security reasons, the ID_PROVIDER_NAME entry in the SEAL Print Client configuration has to be identical with the iss entry in the ID token and needs to be configured.

Whereas, the AUTH_ISSUER_URL contains a URL pointing to the address via which the identity server can be accessed over the network.

If Keycloak is used as identity provider, the value in AUTH_ISSUER_URL is identical to the one in ID_PROVIDER_NAME.

Next Step

Continue with: Connect the Backend Systems

Back to top