Configure to use Keycloak for authentication and authorization

Introduction to Keycloak

Keycloak provides open source authentication and authorization access control management for modern applications and services. It implements OpenID, OAuth2.0, and SAML single sign-on protocols. And also provides LDAP and Active Directory and third-party login adaptation functions such as OpenID Connect, SAML2.0 IdPs, Github, and Google. It can be used out of the box.

Why use Keycloak?

After SupSuperMap iServer, SuperMap iPortal, SuperMap iExpress, and SuperMap iManage are connected to Keycloak respectively, the following capabilities can be achieved:

• Unified account management for SuperMap iServer/iPortal/iEdge using Keycloak, including user management and role management;
• SuperMap iServer/iPortal/iEdge can use Keycloak's unified account to log in and implement single sign-on between them;
• Based on the OAuth2.0 protocol, authorized third-party applications (such as SuperMap iDesktop) can log in to SuperMap iServer/iPortal/iEdge to access resources without providing the account and password of SuperMap iServer/iPortal/iEdge to third-party applications;
• Support direct docking user's existing account system, including: LDAP, Kerberos;
• Support the existing single sign-on system of the user by extending the development of Keycloak.

Configure to use Keycloak

For installation and configuration of Keycloak, see: Keycloak installation and configuration. The following is a detailed description of how to configure in SuperMap iServer/iPortal/iEdge, taking SuperMap iPortal as an example:

Log in to the iPortal as the iPortal administrator, click Management -> Security -> Keycloak Configuration:

• Enable: Check to enable Keycloak.
• Keycloak base uri: Enter the Keycloak address, for example: http://192.168.120.40:8180/auth。
• Keycloak realm: Enter the domain name used in Keycloak. The default domain name is Master. If you add a new domain to Keycloak, fill in the new domain name, for example: ispeco.
• Client ID: Enter the client ID that was added when the client was created in Keycloak, for example: ispeco-oidc.
• Client secret: Enter the client key generated when the client is created in Keycloak, for example: 334322d9-45d2-45e9-8e49-156f188ef0f4.
• Click the "Save" button to complete the above configuration.

Next, you need to perform "Attribute role associated information configuration", that is, the relationship between the role in iPortal and the role in Keycloak. SuperMap iPortal already has some built-in role mappings, you can also add new role mappings by clicking the "Add role mapping" button:

• Attribute: Fill in the name of the role added in Keycloak, plus the prefix name configured. For example, the prefix name configured in Keycloak is: KC_, and the added role name is: PORTAL_USER, then you should fill in : KC_PORTAL_USER.
• Alternative roles: The left area lists all the roles in the current iPortal, you can add the roles in the left area to the right area to associate with the role you typed in "Attribute" blank.
  
• Click the "OK" button to complete the role mapping.

After the above configuration is completed, log out of iPortal. Click the “Login” button on the iPortal home page, it will forward to the Keycloak login page, then you can log in with the Keycloak account.