2.12.1 Procedure for building a configuration system using IDaaS linkage (with the Keycloak)
This section describes the procedure for building a configuration System using IDaaS linkage using the Keycloak as the ID provider (IdP).
After the following configuration for Keycloak, change to authenticate using IdP. For details about changing procedure to authenticate using IdP, see 2.12.4 Procedure for changing authentication method.
Registering the Root Certificate
You must register the root CA certificate for using Keycloak server in Java keystore of PC where JP1/IT Desktop Management 2 - Manager is installed.
In order to register this root CA certificate in Java keystore, download the root CA certificate file and run the following command at the command prompt:
JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\jdk\jre\bin\keytool.exe -import -file certificate-file-name -alias alias-name-(any-name-to-identify) -keystore JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\jdk\jre\lib\security\cacerts
When the command is executed, you are asked to type a password to import the server certificate. Type the password. The default password is changeit.
After registering the key in the Java keystore, restart the JP1/IT Desktop Management 2 service.
Adding and Configuring Realms
Change the configuration of Keycloak realm. The setting items and setting values are listed in the following tables.
|
Function |
Setting items |
Setting values |
Default |
|
|---|---|---|---|---|
|
General |
Realm name |
-- |
Any realm name |
None |
|
Session |
SSO Session Settings |
SSO session-idle |
Continuous time to operate the management screen#1 |
30 minutes |
|
SSO session maximum |
Any#2 |
10 hours |
||
Legend: --: Not applicable
#1: The session timeout period on the operation screen is 65 minutes from the last operation. If the value set for SSO session idle elapses from login, the IdP's session expires, so if you set a short time, you may need to reauthenticate the IdP during seamless login.
#2: Specify a longer duration than the SSO session idle.
Adding and Configuring Clients
Add the client for the JP1/IT Desktop Management 2 to the realm of the Keycloak. The setting items and setting values are listed in the following tables.
|
Setting items |
Setting values |
Default |
||
|---|---|---|---|---|
|
Setting |
General settings |
Client Type |
OpenID Connect#1 |
OpenID Connect |
|
Client ID |
Any ID#2 |
None |
||
|
Access settings#3 |
Valid redirect URI#4 |
http://host-name-of-management-server:port-number#5/jp1itdm/idaas.jsp |
/* |
|
|
Capability config |
Client authentication |
ON |
OFF |
|
|
Authorization |
ON |
OFF |
||
|
Authentication flow |
|
|
||
|
Credentials |
Client authentication |
Client Id and Secret |
Client Id and Secret |
|
|
Client secret |
Automatically generated value#6 |
Client secret value |
||
#1: You can configure only when adding the client.
#2: Specify this value at the client ID param.auth_code.client_id and param.ropc.client_id in the IDaaS linkage configuration file (jdn_idaas_auth.conf).
#3: When adding a client, it is the name of the Login settings step.
#4: If you want to add multiple URIs of the JP1/IT Desktop Management 2 - Manager, set the additional URIs in the client settings.
#5: The default port number is 31080. Specify the port number set in Port number for accepting connections from the administrator's computer on the setup screen of the JP1/IT Desktop Management 2 - Manager as the URL.
#6: Specify this value which is obfuscated at the client secret param.auth_code.client_secret and param.ropc.client_secret in the IDaaS linkage configuration file (jdn_idaas_auth.conf).
Notes
Specify the authentication method at login in the authentication flow. The following table lists the flows that are configured by default on the client.
|
Flow |
Default Flow |
Remarks |
|
|---|---|---|---|
|
Authentication flow |
Browser flow |
The "browser" flow in the Built-in |
Flow for logging in to operation window |
|
Direct grant flow |
The "direct grant" flow in the Built-in |
Flow for the Remote Install Manager, the Packager, and the Network Access Control Commands |
|
Authentication flows can be customized according to operation. However, if you use the Remote Install Manager, the Packager, and the Network Access Control commands, you must use default flow without customizing the direct grant flow.