JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 13

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 - Identity Services offer integration with Keycloak® authentication server Authentication Server.
  • The Keycloak Identity Service integration is available from JOC Cockpit:
    • This requires Keycloak to be installed and operated. Keycloak is not a built-in Identity Service and does not ship with JS7.
    • JS7 implements a REST client for use with Keycloak® 16.0 and newer.

...

  • If the KEYCLOAK Identity Service Type is used then:
    • user accounts are managed by Keycloak,
    • roles have to be set up in Keycloak with names that exactly match the names of roles in the JOC Cockpit.
      • a user account will be assigned the JOC Cockpit roles matching policy Keycloak role names when performing a login to the JOC Cockpit.
      • it is not required to add specific permissions to roles with Keycloak.
  • If the KEYCLOAK-JOC Identity Service Type is used then:
    • user accounts are managed by Keycloak.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Keycloak and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • passwords are managed by Keycloak exclusively.

...

  • It is not required to use Keycloak to connect to an LDAP Directory Service as there is the built-in JS7 - LDAP Identity Service for this purpose.
  • The authentication method has to be added to Keycloak.
    • Authentication with the LDAP authentication service in Keycloak is possible using the user federation provider LDAP in Keycloak The path of the Authentication Method has to be added to the Identity Service configuration in JOC CockpitKeycloak.
  • The KEYCLOAK Identity Service Type has to be used, meaning that:
    • user accounts are managed with Keycloak.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Keycloak and in JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • passwords are managed by Keycloak exclusively.

...

  • Keycloak access tokens are created with the following restrictions:
    • Time to Live (TTL):
      • The access token will expire after the given period (Session Idle).
      • The Identity Service renews the access token 20s before expiration, this step is performed until Session Max is reached. This requires that the access token's TTL exceeds 60s and that the Keycloak permission for renewal of an access token by its owner is in place.
    • Maximum Time to Live:
      • The access token's overall lifetime is limited (Session Max), renewals cannot take place after the specified period.
  • If an access token cannot be renewed by the Identity Service then the user session is terminated and the user is forced to login and to specify credentials.
    • This happens in the event that the maximum TTL is exceeded or that the token is revoked.
    • Keycloak administrators should check for reasonable values of the TTL (Session Idle), maybe not less than 300s, and the maximum TTL (Session Max), maybe at least 15 minutes, as otherwise users will have to repeatedly login quite frequently.
  • The JOC Cockpit handles the idle timeout of user sessions independently from Keycloak, see JS7 - Identity Services.
    • If the idle timeout is exceeded then the user session is terminated.
    • The Identity Service will revoke the access token with the Keycloak server Server on termination of the user session.

...