Keycloak
Here follows some MedCo-specific instructions for the administration of Keycloak. For anything else, please refer to the Keycloak Server Administration Guide. Those instructions do not necessarily need to be all followed for all deployments, refer to the deployment guide to know which ones are important.
For a production deployment, it is crucial to change the default keys and credentials.
Accessing the web administration interface
You can access the Keycloak administration interface at http(s)://<node domain name>/auth/admin
. For example if MedCo is deployed on your local host, you can access it at http://localhost/auth/admin
. Use the admin default credentials if you had just deployed MedCo.
User Management
Default users
The default configuration shipped with the MedCo deployments come with several users.
Admin user
The default admin credentials has all the admin access to Keycloak, but no access rights to MedCo. Its credentials are :
User
keycloak
Password
keycloak
(unless configured otherwise through the.env
file)
Test users
They all have the password test
and have different authorizations that are obvious from their names.
User
test
: this user has all the authorizations to run all types of MedCo explore queries. it will default to the highest authorization beingpatient_list
.User
test_explore_count_global
User
test_explore_count_global_obfuscated
User
test_explore_count_per_site
User
test_explore_count_per_site_obfuscated
User
test_explore_count_per_site_shuffled
User
test_explore_count_per_site_shuffled_obfuscated
User
test_explore_patient_list
Add a user
Go to the configuration panel Users, click on Add user.
Fill the Username field, toggle to
ON
the Email Verified button and click Save.In the next window, click on Credentials, enter twice the user’s password, toggle to
OFF
the Temporary button if desired and click Reset Password.
Give query permissions to a user
Go to the configuration panel Users, search for the user you want to give authorization to and click on Edit.
Go to the Role Mappings tab, and select medco (or another client ID set up for the MedCo OIDC client) in the Client Roles.
Add the roles you wish to give the user, each of the roles maps to a query type.
MedCo Default Settings
medco OpenID Connect client
The default Keycloak configuration provides an example of a fully working configuration for deployments on your local host. In other cases, you will need to modify this configuration.
Access the configuration panel of the MedCo client by going to the Clients tab, and click on the medco client. Then, in the Settings tab, fill Valid Redirect URIs to reflect the following table (you can delete the existing entries):
Deployment Profile | Valid Redirect URIs |
test-local-3nodes |
|
test-network + prod-network |
|
dev-local-3nodes |
|
In the same tab, fill Web Origins with +
and save.
Securing a production deployment
Changing default passwords
Both keycloak
and test
users comes with default passwords. For a production deployment they need to be changed:
Go to the configuration panel Users, click on View all users.
For each of the users you want to change the password of:
Click on Edit, then go the Credentials tab.
Enter the new password of the user
Optionally toggle to
OFF
the Temporary button; ifON
the user at the next login will need to update his password.Click on Reset Password.
Changing default realm keys
The example configuration comes with default keys. They have to be changed for a network deployment where there are several Keycloak instances.
Go to the configuration panel Realm Settings, then to the Keys tab and Providers subtab.
Click on Add keystore... and add the three following providers:
aes-generated
Console Display Name:
aes-medco
Priority:
100
hmac-generated
Console Display Name:
hmac-medco
Priority:
100
rsa-generated
Console Display Name:
rsa-medco
Priority:
100
Finally, delete all the other key providers listed that you did not just add. They should be named xxx-generated. Note that it is normal if you get logged out during the operation, just log back in and continue the process.
Enabling brute force detection
Go to the configuration panel Realm Settings, then to the Security Defenses tab and Brute Force Detection subtab.
Toggle to
ON
the Enabled button.Fill the following:
Max Login Failures:
3
Wait Increment:
30 Seconds
Save the configuration.
Last updated