Keycloak is an authentication and authorization server under an open-source license. Thulium enables integration with this solution to control access to the Thulium system.
Scope of integration
- Users can log into the Thulium system using the OpenID Connect mechanism provided by Keycloak,
- The system uses OpenID through a public application registered by Thulium,
- Identification of Users in the Thulium system is based on the "User name" field in Keycloak. This field is the login of a given User, so it cannot be empty. The value of this field must be unique for each User.
Step by step
- Integration configuration
a) Keycloak authentication integration should be enabled in the section Administration → Advanced → Integrations z grupy Authentication*:
When clicked, a screen with parameters to be completed will appear:
- Client ID - enter the correct customer ID from which OpenID Connect login is allowed,
- Client secret - password for a given customer ID,
- Keycloak version - selection of the Keycloak version you have (important because of the API differences between versions 16 and 17).
In order to obtain the required endpoint parameters such as authorizationEndpoint, tokenEndpoint, userinfoEndpoint, and jwksUri, the System Administrator should either enter them manually or obtain the so-called Discovery Endpoint. Discovery Endpoint containing the configuration of all necessary fields. In the case of the latter, click .
- Automatic user creation - checking this box will allow the system to automatically create accounts for new Users who have properly authenticated with OpenID Connect, even if their accounts have not yet been created in the system.
It is recommended to enable this feature only after setting up the appropriate logins (email address in Keycloak) in Thulium for current Users so that when they log in, new ones are not created if they already exist (but with a different login).
If you want to synchronize Users from a particular group, the System Administrator should enter the UUID of the group.
- Group identifier - allows to import Users belonging to a group with Keycloak before their first login to the system.
b) After entering the configuration and clicking on button will appear on the login screen and the integration itself will set as enabled:
- User Synchronization
Synchronization allows you to import System Users prior to their first login to the system provided that you complete the Group identifier field within the Integration configuration.
a) To start the synchronization within the Administration → Users module, a button will appear
b) When the button is clicked, a full synchronization of Users is carried out, which means that those who did not previously exist in the system are added to the Thulium system while the data of Users who already existed is updated. Accounts that were not among the downloaded Users will be deactivated. The summary page will show a report with a summary of the import.
- Additional parameters
a) Disable local login form
Disabling the local login form will make the fields disappear from the Thulium login page: Login and Password. Changing this setting is available in the Administration → System parameters module under Whether to display the login form:
Before disabling the login form, make sure that we can log into the system seamlessly with the User with the Admin role.
b) Setting the default role
This setting causes each user to be assigned to this Role when synchronizing Users from an external source. Changing this setting is available in Administration → System parameters under the key Role to be assigned to the user after synchronization: