lightbulb

Manage users and groups using the Keycloak Identity and Access Management service.
Learn how to integrate Keycloak with your company’s Active Directory.

list

Before integrating Keycloak and Active Directory, please have all
LDAP authentication details ready before starting.

clock

It will take 20 mins to complete this guide.

Managing groups

Groups allow you to manage a common set of access privileges for a set of users. Users can be members of zero or more groups. They inherit the access privileges assigned to each group.

The steps below explain how to create groups and update their access privileges.

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    https://mostlyai.mycompany.com/auth, for example.


  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
    image: mostlyai/mostly-keycloak:latest
    container_name: mostly-keycloak
    hostname: mostly-keycloak
    depends_on:
      - mostly-keycloak-postgres
    environment:
      - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
      - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=adminpassword123456789
      - DB_VENDOR=postgres
      - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
      - DB_PORT=5432 # 5432
      - DB_DATABASE=mostly_keycloak # mostly_keycloak
      - DB_USER=mostly_keycloak # mostly_keycloak
      - DB_PASSWORD=mostly_keycloak # mostly_keycloak
      - PROXY_ADDRESS_FORWARDING=true
      - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in the Administration Console, click on Groups in the left side menu. Here you will see the user groups that are currently available. Click on New to create a new group or on Edit to manage the access permissions of an existing group.

    Manage groups 1


  4. If you chose`New`, a Create group page will appear where you can fill out the name of your new group. Click Save when done.

    Manage groups 2


  5. On the next page, select the Role mappings tab to see the available and assigned roles for your group. Select the roles you want to assign and click on Add selected. You can leave Keycloak once you’re done.

    Manage groups 3

    We recommend assigning the roles that start with Manage, Use, View, and Stop. These are composite roles that combine one or more granularly defined roles. You can identify these by the underscore (_) at the beginning of their name. The table below lists all the composite roles you can choose from.

    Role Description

    ManageDataConnector

    Create, update, read, and delete data connectors.

    UseDataConnector

    Use data connectors in jobs and data catalogs and see their details.

    ManageDataCatalog

    Create, update, read, and delete data catalogs.

    UseDataCatalog

    Use data catalogs to start jobs and see their details.

    ManageJobs

    Start, stop, update, and delete jobs, and download its assets.

    StopJobs

    Stop a running job, exit the training and generation steps, and delete a job.

    ViewJobs

    View the jobs list and job details, including job progress, QA report, and download their assets.

    ManageUser

    View the user list and user details, view the Active Directory connection details and update them, and syncronize Active Directory with MOSTLY AI’s user directory.

    ManageLicense

    View the license and activate it.

    UseAPI

    Use all endpoints of the public API.

    ManageAPI

    Create an API key for the public API.

    ManageGroupSharing

    Change which groups have access to a job, data catalog, or data connector.

    ManagePublicSharing

    Provide view access to a job, data catalog, or data connector to everyone.

    ManageOwnerSharing

    Change the owner of a resource.

Managing users

Follow the steps below to manually add users. Alternatively, you can also integrate Keycloak with your company’s Active Directory by following these steps.

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    https://mostlyai.mycompany.com/auth, for example.


  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
    image: mostlyai/mostly-keycloak:latest
    container_name: mostly-keycloak
    hostname: mostly-keycloak
    depends_on:
      - mostly-keycloak-postgres
    environment:
      - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
      - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=adminpassword123456789
      - DB_VENDOR=postgres
      - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
      - DB_PORT=5432 # 5432
      - DB_DATABASE=mostly_keycloak # mostly_keycloak
      - DB_USER=mostly_keycloak # mostly_keycloak
      - DB_PASSWORD=mostly_keycloak # mostly_keycloak
      - PROXY_ADDRESS_FORWARDING=true
      - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in Keycloak, click on Users in the left side menu and then on the Add user button on the Users page.

    Manage groups 1


  4. If you’ve clicked on Add user, a new page appears where you can fill out their Email, First Name, and Last Name. Click Save when done.

    Manage groups 1


  5. Next, the user profile page appears. Select the Credentials tab to set a password for this user account. Once you’ve entered the new password in the Password and Password confirmation fields, click Set password and confirm.

    Manage groups 1


  6. Switch to the Groups tab to assign the user to one or more groups.

    Manage groups 1


Integrating Keycloak with Active Directory

Take the following steps to integrate Keycloak with your company’s Active Directory:

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    https://mostlyai.mycompany.com/auth, for example.


  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
    image: mostlyai/mostly-keycloak:latest
    container_name: mostly-keycloak
    hostname: mostly-keycloak
    depends_on:
      - mostly-keycloak-postgres
    environment:
      - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
      - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=adminpassword123456789
      - DB_VENDOR=postgres
      - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
      - DB_PORT=5432 # 5432
      - DB_DATABASE=mostly_keycloak # mostly_keycloak
      - DB_USER=mostly_keycloak # mostly_keycloak
      - DB_PASSWORD=mostly_keycloak # mostly_keycloak
      - PROXY_ADDRESS_FORWARDING=true
      - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in Keycloak, click on User Federation in the left menu and select ldap from the drop down selector to navigate further.

    Keycloak User federation page


  1. Next, fill out the fields on the Add user federation page. You can find descriptions for each field below the screenshot.

    Keycloak Add User federation


    Username LDAP attribute

    Specify the LDAP attribute that becomes the user’s username in MOSTLY AI. Examples of suitable attributes are mail, sAMAccountName, or cn.
    RDN LDAP attribute

    Specify the LDAP attribute used as the RDN (top attribute) of a typical user DN. Usually, it’s the same as the Username LDAP attribute.
    UUID LDAP attribute

    Specify the LDAP attribute used as a unique object identifier (UUID) for objects in LDAP. For Active Directory, this is objectGUID.
    User Object Classes

    Enter the values of the LDAP objectClass attribute for users, separated by commas. Example: person, organizationalPerson, user.
    Search Scope

    Select Subtree or One Level — if the node listed in Users DN contains nested nodes with users, select Subtree. Otherwise, select one level.
    Connection URL

    Specify the the domain name or IP address of the Active Directory server.
    Users DN

    Specify the subtree where the users reside using comma-separated relative distinguished names (RDNs).
    Custom user search filter

    Use a filter to select users from the full list of users in the Users DN node.
    Bind type

    Specify the authentication mechanism for connecting to the Active Directory server.
    Bind DN

    Provide a Bind DN to authenticate MOSTLY AI on the Active Directory server.
    Bind credential

    Enter the Bind credential (password) for the Bind DN.

  2. Click Save to finish up.