Configuring Other Identity Providers¶
SEAL Systems products use Keycloak as standard identity provider. Keycloak contains various client configurations for PLOSSYS 5 and SEAL Print Client.
If you prefer to use a different identity provider, you have to configure your identity provider for working with SEAL Systems products.
Configuring Your Identity Provider¶
-
Add the following client configurations to your identity provider:
-
easyPRIMA
An easyPRIMA client entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users
Default client ID:
seal-easyprima
, change it, if necessary -
PLOSSYS Administrator
A PLOSSYS Administrator client entry to support OAuth 2.0 Authorization Code Grant in handling the authentication of users
Default client ID:
seal-plossysadmin
, change it, if necessary -
PLOSSYS CLI
A PLOSSYS CLI entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users
Default client ID:
seal-plossyscli
, change it, if necessary -
PLOSSYS Infoclient
A PLOSSYS Infoclient client entry to support OAuth 2.0 Client Credentials Grant in handling the service to service authentication between PLOSSYS Infoclient and the PLOSSYS 5 notification service on the server side
Default client ID:
seal-infoclient
, change it, if necessary -
SEAL DocPrint
A SEAL DocPrint client entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users
Default client ID:
seal-mobile-print
, change it, if necessary -
SEAL Print Client
A SEAL Print Client entry to support OAuth 2.0 Authorization Code Grant in handling the authentication of users
Default client ID:
seal-print-client
, change it, if necessary -
SEAL OP-CLI
A SEAL OP-CLI client entry to support OAuth 2.0 Authorization Password Grant and Authorization Code Grant in handling the authentication of users
Default client ID:
seal-opcli
, change it, if necessary -
SEAL Operator
A SEAL Operator client entry to support OAuth 2.0 Client Credentials Grant in handling the service to service authentication between the SEAL Print Client services on server side
Default client ID:
operator
, change it, if necessary
-
-
Download the signing certificate from the identity provider and save it as a file.
Caution - different certificate
This certificate usually differs from the certificate used for secure TLS connections. Therefore you have to use a different name.
-
Provide the following data to set up SEAL Print Client and PLOSSYS 5 clients:
- signing certificate ??? ändern in issuer url?
- issuer name
- all client id's
- all client secrets
Usually this part of the configuration is done in the form of environment variables on the client side. For details on this, see the appropriate client documentation.
Example of Configuring an IDP¶
Example - Configuring an IDP using the Example of SEAL Print Client
-
Export the SEAL Print Client configuration into a file.
-
Find the section associated with all SEAL Print Client services and configure the following keys for the certificate and the Client Credentials grant:
env: service: any: tag: any: ... ID_PROVIDER_NAME: <iss property in idp> ID_PROVIDER_CERT: <path_and_filename of idp signing certificate> AUTH_CLIENT_ID: <Operator client_id_used in idp> AUTH_CLIENT_SECRET: <Operator client_secret generated by idp> AUTH_TOKEN_ENDPOINT: <token_endpoint_url of idp> ...
For further information about the
ID_PROVIDER_NAME
entry, see Background Knowledge below. -
In the section for the
operator-ui
service, configure the following keys for the Authorization Code grant:env: service: ... operator-ui: tag: any: ... AUTH_ISSUER_URL: <idp url> AUTH_CLIENT_ID: <SEAL Print Client client_id used in idp> ...
Literature - keys
For further information about the keys, refer to the appropriate product documentation.
Background Knowledge¶
JSON Web Token¶
The clients receive the user's identity encoded in a secure JSON Web Token (JWT), called ID token
. The ID token is issued by the identity server, e. g. Keycloak, and obtained via standard OAuth 2.0 Code Flow supporting Web applications.
For example, a JWT contains:
{
"name": "hugo",
"preferred_username": "Hugo",
"given_name": "Hugo",
"family_name": "",
"email": "hugo@sealsystems.de",
"iat": 1546860576,
"exp": 1572780576,
"iss": "http://<server_name>:32768/auth/realms/seal-operator",
"sub": "hugos-id"
}
Relationship Between the Settings¶
The issuer property (iss
) in the ID token is a unique name created by the identity provider. Its value is an arbitrary string, which differs for each identity provider and has to be determined individually.
If you use Keycloak as identity provider, the value contains the URL by which the service can be accessed over the network. Therefore, the value in the example above will change, if the service is accessed from a different machine than localhost.
Caution - identical configurations
For security reasons, the ID_PROVIDER_NAME
configuration in the above example must be identical to the iss
entry in the ID token and has to be configured appropriatley.
The AUTH_ISSUER_URL
contains a URL pointing to the address by which the identity server can be accessed over the network.
If you use Keycloak as identity provider, the value in AUTH_ISSUER_URL
is identical to the one in ID_PROVIDER_NAME
.