[JAVA] Let's take a look at the functions of Keycloak's management console (administrator edition)
What to do today
Keycloak Advent Calendar Day 9 This time, let's take a look at the Keycloak management console.
Keycloak management console
--Administrator functions --User functions (user account service)
there is.
Today, let's take a look at the former "function for administrators".
Advance preparation
Prepare the following as per Day 2 "Keycloak Setup".
--Keycloak environment --Create Keycloak admin and regular users
Management Console Overview
The management console is a function that manages Keycloak settings and users, groups, etc. Go to http: // localhost: 8080 / auth / admin / and log in as an admin user. If you are logged in as a realm administrator, go to http: // localhost: 8080 / auth / admin / realm name / console /. (If you log in as an administrator of the realm "demo", access http: // localhost: 8080 / auth / admin / demo / console /)
The management console is configured with the menu on the left side of the screen and the settings for the selection menu on the right side.
Place the cursor over the "?" Mark next to the item name to see a description of the item.
If you log in as a server administrator, you can switch the target realm in the realm name part at the top left of the screen.
Now let's look at the settings in the management console.
Management console settings
Realm settings
This screen manages various settings of the realm.
General
This screen is for setting the realm name and display name.
| item name | Description | Default value |
|---|---|---|
| name | Realm name. Used for URLs. | |
| Display name | レルムDisplay name。ブラウザタイトルに使用される。 | |
| HTML display name | The realm display name on HTML. Used for the body of the login screen. | |
| Effectiveness | レルムEffectivenessフラグ。 | on |
| end point | OpenID Connectend pointの設定を表示するリンク。 | OpenID Endpoint Configuration |
Login
This is the login-related setting screen.
| item name | Description | Default value |
|---|---|---|
| user registration | ユーザーによるuser registrationを可能にするかどうか。 | off |
| Edit user name | Whether to make the username field editable. | off |
| Forgot password | Whether to display a link on the login screen that you click if you forget your password. | off |
| Save login status | Whether to display a checkbox to save the login status on the login screen. | off |
| Check your email | Whether to enable user verification by email when logging in for the first time. | off |
| Login with email | Whether to allow login by email. | on |
| SSL request | Whether to require SSL. Specify one of the following. All requests Required. External request Required except for localhost and private IP. None Not required. |
External request |
This is the SMTP server setting screen. Keycloak will send you an email when you confirm your email address, forget your password, or when your administrator needs to be notified about server events.
| item name | Description | Default value |
|---|---|---|
| host | SMTP server. | |
| port | SMTPport。 | |
| From Display Name | Display name of the sender. | |
| From | FromのEメールアドレス。 | |
| Reply To Display Name | Reply-Display name of to. | |
| Reply To | Reply-Email address to. | |
| Envelope From | The email address of the envelope From. | |
| SSL enabled | Whether SSL is required. | off |
| Enable StartTLS | Whether TLS communication is required. | off |
| Authentication enabled | Whether authentication is required. | off |
theme
Keycloak UI theme setting screen.
| item name | Description | Default value |
|---|---|---|
| Login theme | The theme to apply to the login screen. | |
| Account theme | Account management screen theme. | |
| Management console theme | Management console theme. | |
| Email theme | Email theme. | |
| Effectiveness of internationalization | Whether to enable internationalization. | off |
client
This is the screen for managing clients. A client is an application that is subject to SSO. OpenID Connect (OIDC) Relying Party (RP), SAML Service Provider (SP), etc. correspond to clients. You can create / change / delete clients, export settings, etc.
Click the "Create" button at the top right of the screen to display the client registration screen. The client protocol can be "OpenID Connect" or "SAML". Enter the required information and click the "Save" button to move to the details screen.
** When "OpenID Connect" is selected as the client protocol **
** When "SAML" is selected as the client protocol **
Please refer to Keycloak documentation for a description of each item.
: information_source: There is a "role" setting in the client settings, but this role is called a "client role" and is different from the realm role described later. A realm role has a global namespace within the realm, but a client role basically has its own namespace for each client.
roll
This is the screen for managing roles. You can create / change / delete roles for realms and set default roles.
Identity provider
This is the ID provider setting screen. You can enable authentication using an external identity provider or social network.
Details will be written by @ tamura__246 on the 15th day!
User federation
This is the setting screen for user linkage with the external user database. You can authenticate with "LDAP" or "Active Directory", or synchronize IDs.
Details will be written by @yagiaoskywalker on the 14th day!
Authentication
This screen manages settings related to authentication. You can set the authentication flow, password policy, etc.
The authentication flow is the setting of authentication, screen, and action that occurs in various Keycloak processes. For example, "At the time of browser authentication, if there is a valid cookie, authentication is OK. If there is no valid cookie, authentication is performed by ID and password." Or "When resetting the password, first display the user ID input screen. You can define the flow according to the process, such as "Display and send a password reset mail next if the user ID is correct."
Details will be written by @naokiiiii on the 12th day!
group
This is the screen for managing groups. You can create / change / delete groups and set roles for groups.
user
This is the screen for managing users. You can add / change / delete users, map roles, assign / leave to groups, etc.
session
This is the screen for managing sessions. You can see the currently active sessions in the realm.
Event
This is the event management screen. You can set the event to be saved and refer to the saved event.
import
This is the screen to import the realm settings. You can import about clients, groups, and roles. Import the JSON file.
When you select a file, a screen for specifying the import behavior is displayed. You can select the data to import and specify the behavior when the data to be imported already exists.
export
This screen exports the realm settings. Realm settings, clients, groups, roles, etc. are exported. User data is not exported. The JSON file will be output.
Summary
Roughly, I took a look at the "Management Console". I think that it is relatively easy to use because the displayed contents are in Japanese and the help display of items is also substantial.
For more information, please refer to the help display of the items displayed on the screen and the Keycloak documentation.
Reference material
Recommended Posts