Configuration

• Keycloak Configuration

Administration with PgAdmin

PgAdmin can be accessed through http://<node domain name>/pgadmin with username admin and password admin (by default). To access the test database just create a server with the name MedCo, the address postgresql, username

HTTPS is supported for the profiles test-local-3nodes and test-network.

Certificate

The certificates are held in the configuration profile folder (e.g, ~/medco-deployment/configuration-profiles/test-local-3nodes):

• certificate.key: private key

• certificate.crt: certificate of own node

• srv0-certificate.crt, srv1-certificate.crt, …: certificates of all nodes of the network

Enable HTTPS for the Test Local Deployment

To enable HTTPS for the profile test-local-3nodes, replace the files certificate.key and certificate.crt from the configuration profile folder with your own versions. Such a certificate can be obtained for example through .

Then edit the file .env from the compose profile, replace the http with https, and restart the deployment.

Configure HTTPS for the Test Network Deployment

For this profile, HTTPS is mandatory. The profile generation scripts generates and use default self-signed certificates for each node. Those are perfectly fine to be used, but because they are self-signed, an HTTPS warning will be displayed to users in their browser when accessing Glowing Bear. There are two ways of avoiding this warning:

• Configuring the browsers of your users to trust this certificate. This procedure is specific to the browsers and operating systems used at your site.

• Use a certificate obtained by an authority trusted by the browser you are using: see below.

If you wish to use a certificate from your own making, gather its key and the certificate itself. Note that using your own certificate is only needed on the central node (as it is the one hosting the web application Glowing Bear). In the configuration profile of the central node (~/medco-deployment/configuration-profiles/test-network-<network name>-node<node index>/) copy the certificate and its key in the respective files certificate.crt and certificate.key. Then duplicate the file certificate.crt in srv0-certificate.crt. Restart the deployment and the central node configuration is ready.

Now the other nodes need to get this certificate to trust it. Get and copy the srv0-certificate.crt file into each of the configuration profile directory of the other nodes, and restart all the deployments. The configuration of HTTPS is now ready.

Prerequisites

• A MedCo network is up and running, with one or more functional Keycloak within the network.

• One or several identity provider(s) part of the SwitchAAI federation is/are chosen to be used as user source.

• The institution at which the Keycloak of MedCo is deployed is ready to accept being registered as the home organization.

• You have access to the .

Note that right now the SwitchAAI WAYF (Where Are You From) mechanism is not supported (i.e. the web UI used to select with institution the user wishes to login). This means that you will need to register in Keycloak each identity provider you wish to support.

Note also that the process described in this guide will need to be repeated for each instance of Keycloak deployed, if there are more than one in the MedCo network.

Configure the identity provider(s) in Keycloak

The following instructions are to be executed on the administration UI of Keycloak, e.g. https://medco-demo.epfl.ch/auth/admin.

Configure the first login flow

The behavior of Keycloak during the very login of users through the identity provider is highly customisable. We propose below an example of a working flow but this can be changed to fit your need.

• Navigate to Authentication > Flows, select First Broker Login and make a Copy of it. Name it for example SwitchAAI-Test Demo IdP First Broker Login.

• Change the list of executions to make it look like the following image.

Add the identity provider

• In the Identity Providers menu, choose Add provider... > SAML v2.0

• Specify an Alias. Note this will not be changeable later without redoing the whole process. Example: SwitchAAI-Test.

Add the username mapper

We need to import a unique but intelligible username in Keycloak from the identity provider. For this we use the SwitchAAI mandatory attribute swissEduPersonUniqueID.

• Open the Mappers tab and click Create.

• Fill the field as:

  • Name: SwitchAAI Unique ID.

Setup a certificate

A certificate compliant with the SwitchAAI federation needs to be generated and configured. First to generate a self-signed certificate that meets their requirements. You will need from the Keycloak instance:

• Its FQDN (fully-qualified domain name). Example: medco-demo.epfl.ch.

• Its SAML entityID, that you can find out in the XML descriptor from the Export tab of the previously configured Keycloak identity provider. Example: https://medco-demo.epfl.ch/auth/realms/master.

Once you have generated the certificate, set it up in Keycloak:

• Navigate to the settings page Realm Settings > Keys > Providers and select Add Keystore... > rsa.

• Specify a name in Console Display Name. Example: rsa-switchaaitest.

Register Keycloak instance as a Service Provider in SwitchAAI

The following instructions are to be executed in the . As a result, a Keycloak instance will be registered as a service provider linked to a home organization in the SwitchAAI federation.

Register new resource

Click Add a Resource Description and fill the 7 categories of information according to the following instructions. Note that if some fields are not listed in this documentation, their value are not important for the registration of the Keycloak instance and can be set according to the explanations provided by the resource registry.

1. Basic Resource Information

• Entity ID: the same SAML entityID you used to generate the certificate. Example: https://medco-demo.epfl.ch/auth/realms/master.

• Home Organization: the organization that hosts the Keycloak instance currently being registered. The responsible persons of the organization specified here will need to approve the registration. This will typically be the the institution where the MedCo node is deployed. For the purpose of our test we are using AAI Demo Home Organization (aai-demo-idp.switch.ch, AAI Test).

2. Descriptive Information

3. Contacts

4. Service Locations

• SAML2 HTTP POST binding (x2): the URL at witch the SwitchAAI infrastructure will communicate with the Keycloak instance. You will find it in the configuration page of the configured identity provider in Keycloak under Redirect URI. Example: https://medco-demo.epfl.ch/auth/realms/master/broker/SwitchAAI-Test/endpoint

5. Certificates

Copy/paste in this field the PEM part of the certificate that was previously generated. Note that in the example showed below the certificate has already been validated through a separate channel.

6. Requested Attributes

Put on Required at least the following attributes. Note that the release of attributes needs to have a justification.

• E-mail (email). Example reason: Identify user for being able to assign them specific authorizations.

• Unique ID (swissEduPersonUniqueID). Example reason: Get a unique ID of user.

7. Intended Audience and Interfederation

Get the new resource approved

Once submitted, the responsible persons from the home organization will need to approve the new resource and validate the fingerprint of the certificate submitted. This is a manual process that will most likely be done through email.

Once this is done, the setup should be functional, and the users will be able to select the configured identity provider to login. Don't forget that this covers only users' authentication, their authorization needs to be handled manually through Keycloak after they login at least once.

Here follows some MedCo-specific instructions for the administration of Keycloak. For anything else, please refer to the Keycloak Server Administration Guide.

Accessing the web administration interface

In the case of the development profile dev-local-3nodes (i.e. without reverse proxy), the address is http://localhost:8081/auth/admin. In the other cases (with the reverse proxy), the address is http://<node domain name>/auth/admin. The credentials are :

• User keycloak

• Password keycloak by default, or whatever else was configured at the initial deployment.

Disabling HTTPS requirement for external connections

When deploying the test-local-3nodes profile without HTTPS on a machine other than localhost, the administration interface will refuse to load. To solve this, access pgAdmin (see ) and execute the following SQL on the keycloak database:

You need to restart the Keycloak docker container to enable the changes.

Import MedCo Default Settings

Import the provided realm configuration into Keycloak. This will create the MedCo client with the appropriate roles.

• Go to the Import menu

• Click on Select file and select the file keycloak-medco-realm.json that you will find in ~/medco-deployment/resources/configuration.

Configure the MedCo OpenID Connect client

In the Settings tab, fill Valid Redirect URIs according to the following table:

In the same tab, fill Web Origins with + and save.

User Management

Add a user

• Go to the configuration panel Users, click on Add user.

• Fill the Username field, toggle to ON the Email Verified button and click Save.

Give query permissions to a user

• Go to the configuration panel Users, search for the user you want to give authorization to and click on Edit.

• Go to the Role Mappings tab, and select medco (or another client ID set up for the MedCo OIDC client) in the Client Roles.

• Add the roles you wish to give the user, each of the roles maps to a query type.