6. Keycloak console

6.1. Introduction

This document explains the Exastro Suite's System management's Keycloak console.

6.2. KeyCloak console

They Keycloak console is used to change login method, password and password policy for Organization users and adding new administrators.
The user can also use the console to see a log of added roles and user changes.
  1. Select Keycloak console
    Selecting Keycloak console from the menu displays the Keycloak console page.
    ../../_images/keycloak_console_menu_v2-4.png
  2. Select realm (Organization)
    The user will need to select which realm (Organization) they are configuring before they can move to the next step.
    ../../_images/keycloak_console_realm_list_v2-4.png

    危険

    We recommend that the user does not change any settings.
    The application might not function properly depending on what the user changed.

    注釈

    For more information about minotoring policies and logs, see the Official Keycloak documentation.

6.2.1. Adding system administrator

  1. Add system adnimistrator
    When adding new system administrator, select the master realm. From the menu, select User and press the Add user button. From there, the user can add new users by inputting the user information.
    ../../_images/keycloak_console_user_list_v2-4.png
  2. Input System administrator's user information
    Input information for the new user that will be added.
    ../../_images/keycloak_console_user_add_v2-4.png
    表 6.1 Item description

    Item name

    Description
    Required user/action
    Allows the user to configure wheat inforamtion to configure next the user logs in.
    For more detailes setting values, see the Official Keycloak documentation.
    E-mail verified
    Select OFF
    ※If there are not mail sending server configured, this will not work even if set to ON
    Select a location
    Select which language the user will have displayed
    Username
    Input a Username for the user.
    E-mail
    Input an E-mail address for the user.
    Name
    Input a name for the user.
    Last name
    Input a last name for the user.
    Join Groups
    This is not supported by Exastro at the moment. Do not specify anything.
  3. Register System admin's user
    After inputting the required information, press the Create button to register the user.
    ../../_images/keycloak_console_user_add_ok_v2-4.png
  4. Configure password for the new user
    Note that it is not possible to configure a password for the user in the user registration page. The next section in this document describes how to configure passwords.
    Select credentials under User details to configure a password.
    Press the Password settings button and input the password. Press the Save button to save the password.
    ../../_images/keycloak_console_user_add_password_v2-4.png
    ../../_images/keycloak_console_user_add_password_set.png
    表 6.2 Item description

    Item name

    Description
    Password
    Input the password that will be used when logging.
    New password(Confirmation)
    Input the same password once more.
    Temporary
    If set to ON, the next time the user logs in, they will be moved to the Password change page.
    We recommend the user keeps this at ON.
  5. Configure role to the added user
    Giving the user the required Role allows them to configure settings as if they were a System admin.
    Select Role Mappings under User details to configure a Role.
    Press the Assign role button and select a role. After that, press the Assign button to assign the role to the user.
    ../../_images/keycloak_console_user_add_role_v2-4.png
    ../../_images/keycloak_console_user_add_role_set.png
    Finishing this will have added a user with the priveleges as a system admin.

6.2.2. Changing the validity period of access tokens

During processes that may take a long time, such as uploading/downloading large files, a message saying "Failed to authenticate" may display.
This problem can be solved by changing the validity period of the acecss token.
  1. Select Client (Value same as Organization ID)
    Select the desired realm with the aforementioned Select Realm (Organization) ` and select :menuselection:`Client from the menu.
    This will display the Client list page. From the Client ID row, select the Client that has the same value as the Organization.
    ../../_images/keycloak_console_client.png
  2. DisplayAdvanced settings(Client)
    This will display the Client details page. Select Advanced.
    From the right side of the Advanced page, select "Advanced settings" under "Jump to section".
    ../../_images/keycloak_console_client_advanced.png
  3. Changing access token validity period
    Change the access token's validity period items from "inherits from realm settings" to "Validity period" and input the desired time.
    Scroll down and press the Save button to save any changes made.
    ../../_images/keycloak_console_client_advanced_access_token_lifespan.png
    ../../_images/keycloak_console_client_advanced_access_token_lifespan_save.png

    注釈

    If Access tokens exceeds the max time set in SSO session/idle/Max SSO sessions, the token will be deactivated even if within the validity period.
    If the user needs the access token's validity period to be more than the default SSO default settings (idle(30min)/SSO session(10h)),
    change the SSO session/Idle/Max SSO session time to fit.

6.2.3. Changing SSO session/idle/Max SSO sessions

  1. Display Session Settings
    Select the desired realm with the aforementioned Select Realm (Organization) ` and select :menuselection:`Realm settings from the menu.
    This will display the Realm settings page. Select Session and move to the Session Settings page.
    ../../_images/keycloak_console_realm_sessions.png
  2. Changing access token validity period
    Input the desired time to the SSO session/idle/Max SSO sessions item.
    Scroll down and press the Save button to save any changes made.
    ../../_images/keycloak_console_realm_sessions_edit.png
    ../../_images/keycloak_console_realm_sessions_save.png