Manage users and groups using the Keycloak Identity and Access Management service. |
|
Before integrating Keycloak and Active Directory, please have all |
|
It will take 20 mins to complete this guide. |
Managing groups
Groups allow you to manage a common set of access privileges for a set of users. Users can be members of zero or more groups. They inherit the access privileges assigned to each group.
The steps below explain how to create groups and update their access privileges.
-
Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the
/auth
path at the end of it.
https://mostlyai.mycompany.com/auth
, for example. -
Keycloak’s welcome page will now appear. Select
Administration Console
and enter the Admin credentials that were created during installation.You can also find these credentials in thedocker-compose.yml
file located in the/opt/mostly-ai/etc/
directory.The credentials are stored in the
KEYCLOAK_USER
andKEYCLOAK_PASSWORD
fields.mostly-keycloak: image: mostlyai/mostly-keycloak:latest container_name: mostly-keycloak hostname: mostly-keycloak depends_on: - mostly-keycloak-postgres environment: - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT #8080 - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=adminpassword123456789 - DB_VENDOR=postgres - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres - DB_PORT=5432 # 5432 - DB_DATABASE=mostly_keycloak # mostly_keycloak - DB_USER=mostly_keycloak # mostly_keycloak - DB_PASSWORD=mostly_keycloak # mostly_keycloak - PROXY_ADDRESS_FORWARDING=true - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
-
Once you’re in the Administration Console, click on
Groups
in the left side menu. Here you will see the user groups that are currently available. Click onNew
to create a new group or onEdit
to manage the access permissions of an existing group. -
If you chose`New`, a
Create group
page will appear where you can fill out the name of your new group. ClickSave
when done. -
On the next page, select the
Role mappings
tab to see the available and assigned roles for your group. Select the roles you want to assign and click onAdd selected
. You can leave Keycloak once you’re done.We recommend assigning the roles that start with
Manage
,Use
,View
, andStop
. These are composite roles that combine one or more granularly defined roles. You can identify these by the underscore (_) at the beginning of their name. The table below lists all the composite roles you can choose from.Role Description ManageDataConnector
Create, update, read, and delete data connectors.
UseDataConnector
Use data connectors in jobs and data catalogs and see their details.
ManageDataCatalog
Create, update, read, and delete data catalogs.
UseDataCatalog
Use data catalogs to start jobs and see their details.
ManageJobs
Start, stop, update, and delete jobs, and download its assets.
StopJobs
Stop a running job, exit the training and generation steps, and delete a job.
ViewJobs
View the jobs list and job details, including job progress, QA report, and download their assets.
ManageUser
View the user list and user details, view the Active Directory connection details and update them, and syncronize Active Directory with MOSTLY AI’s user directory.
ManageLicense
View the license and activate it.
UseAPI
Use all endpoints of the public API.
ManageAPI
Create an API key for the public API.
ManageGroupSharing
Change which groups have access to a job, data catalog, or data connector.
ManagePublicSharing
Provide view access to a job, data catalog, or data connector to everyone.
ManageOwnerSharing
Change the owner of a resource.
Managing users
Follow the steps below to manually add users. Alternatively, you can also integrate Keycloak with your company’s Active Directory by following these steps.
-
Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the
/auth
path at the end of it.
https://mostlyai.mycompany.com/auth
, for example. -
Keycloak’s welcome page will now appear. Select
Administration Console
and enter the Admin credentials that were created during installation.You can also find these credentials in thedocker-compose.yml
file located in the/opt/mostly-ai/etc/
directory.The credentials are stored in the
KEYCLOAK_USER
andKEYCLOAK_PASSWORD
fields.mostly-keycloak: image: mostlyai/mostly-keycloak:latest container_name: mostly-keycloak hostname: mostly-keycloak depends_on: - mostly-keycloak-postgres environment: - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT #8080 - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=adminpassword123456789 - DB_VENDOR=postgres - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres - DB_PORT=5432 # 5432 - DB_DATABASE=mostly_keycloak # mostly_keycloak - DB_USER=mostly_keycloak # mostly_keycloak - DB_PASSWORD=mostly_keycloak # mostly_keycloak - PROXY_ADDRESS_FORWARDING=true - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
-
Once you’re in Keycloak, click on
Users
in the left side menu and then on theAdd user
button on the Users page. -
If you’ve clicked on
Add user
, a new page appears where you can fill out theirEmail
,First Name
, andLast Name
. ClickSave
when done. -
Next, the user profile page appears. Select the
Credentials
tab to set a password for this user account. Once you’ve entered the new password in thePassword
andPassword confirmation
fields, clickSet password
and confirm. -
Switch to the
Groups
tab to assign the user to one or more groups.
Integrating Keycloak with Active Directory
Take the following steps to integrate Keycloak with your company’s Active Directory:
-
Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the
/auth
path at the end of it.
https://mostlyai.mycompany.com/auth
, for example. -
Keycloak’s welcome page will now appear. Select
Administration Console
and enter the Admin credentials that were created during installation.You can also find these credentials in thedocker-compose.yml
file located in the/opt/mostly-ai/etc/
directory.The credentials are stored in the
KEYCLOAK_USER
andKEYCLOAK_PASSWORD
fields.mostly-keycloak: image: mostlyai/mostly-keycloak:latest container_name: mostly-keycloak hostname: mostly-keycloak depends_on: - mostly-keycloak-postgres environment: - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT #8080 - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=adminpassword123456789 - DB_VENDOR=postgres - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres - DB_PORT=5432 # 5432 - DB_DATABASE=mostly_keycloak # mostly_keycloak - DB_USER=mostly_keycloak # mostly_keycloak - DB_PASSWORD=mostly_keycloak # mostly_keycloak - PROXY_ADDRESS_FORWARDING=true - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
-
Once you’re in Keycloak, click on User Federation in the left menu and select ldap from the drop down selector to navigate further.
-
Next, fill out the fields on the Add user federation page. You can find descriptions for each field below the screenshot.
Username LDAP attribute Specify the LDAP attribute that becomes the user’s username in MOSTLY AI. Examples of suitable attributes are
mail
,sAMAccountName
, orcn
.RDN LDAP attribute Specify the LDAP attribute used as the RDN (top attribute) of a typical user DN. Usually, it’s the same as the
Username LDAP attribute
.UUID LDAP attribute Specify the LDAP attribute used as a unique object identifier (UUID) for objects in LDAP. For Active Directory, this is
objectGUID
.User Object Classes Enter the values of the LDAP
objectClass
attribute for users, separated by commas. Example:person, organizationalPerson, user
.Search Scope Select
Subtree
orOne Level
— if the node listed inUsers DN
contains nested nodes with users, selectSubtree
. Otherwise, selectone level
.Connection URL Specify the the domain name or IP address of the Active Directory server.
Users DN Specify the subtree where the users reside using comma-separated relative distinguished names (RDNs).
Custom user search filter Use a filter to select users from the full list of users in the
Users DN
node.Bind type Specify the authentication mechanism for connecting to the Active Directory server.
Bind DN Provide a Bind DN to authenticate MOSTLY AI on the Active Directory server.
Bind credential Enter the Bind credential (password) for the Bind DN.
-
Click Save to finish up.