Identity and Access Management
Introduction
The Identity Manager (IdM) component is crucial for managing identities during the access control process. It authenticates users, applications, and other entities, ensuring the validity of user credentials and tokens for the identity process. Using OAuth2 protocol, it will offer a federated identification service where service requester and provider will be able to establish a trusted relation without previously knowing each other. This way a secure identification process is completed without the service provider having received the re-quester credentials.
Features
The primary goal of the Identity Manager is to facilitate secure access control by managing authentication and identity verification processes effectively.
Place in architecture
The IdM is connected to the Management Portal for the users authentication and it is also connected with KrakenD to authenticate the API accesses.
IdM enabler will federate the users/groups/roles from OpenLDAP. Using OAuth2 protocol, it will offer a federated identification service where service requester and provider will be able to establish a trusted relation without previously knowing each other.
When a requester asks for a service, the provider will redirect the request to a third-party identity server, known by both parties, so the requester can identify itself and obtain a session token. The service provider will ask the identity server to validate the token and provide data about the requester. This way a secure identification process is completed without the service provider having received the requester credentials.
Identity Manager admin Contains the user or entities credentials store and data. It will offer a OpenId/OAuth2 interface.
Identity Manager authentication Offers will offer a OpenId/OAuth2 interface and validates agains the locla or user db.
openLDAP Contains the user, groups and roles store. This information is federated to the IdM (Keycloak)
User guide
To verify the deployment, you can attempt to authenticate a user or entity using the Identity Manager. Ensure that the authentication process aligns with the expected access control policies.
Clone the repository containing the Identity Manager’s source code and configuration files.
Navigate to the Docker directory as described in the deployment steps.
Execute the docker-compose up -d command to start the Identity Manager service.
Test the Identity Manager by performing authentication tasks, ensuring it operates as expected.
Prerequisities
The enabler is prepared to run in a K8S environment. The creation is prepared to be autonomous in such a working environment.
The service consumer will be required to communicate with the server using the standard OAuth2 interface.
Also a docker-compose version of the component is avaiable.
Installation
For Helm version:
helm install openldap aeros-common/openldap-stack-ha --set ltb-passwd.ingress.enabled=false --set phpldapadmin.ingress.enabled=false --set phpldapadmin.service.type=NodePort --set persistence.size=100Mi --set replication.enabled=false --set replicaCount=1 --debug
helm install idm aeros-common/idm --set keycloak.service.ports.keycloak.nodePort=<nodePort> --debug
helm install idm aeros-common/idm --set keycloak.envVars.proxyAddressForwarding=true --set keycloak.ingress.enabled=true --debug
For docker-compose:
Navigate to the Docker Directory:
Open a terminal and change to the directory containing the Identity Manager’s docker-compose file.
cd identity-manager/docker
Start the Identity Manager:
Execute the following command in the terminal, ensuring you are in the directory where docker-compose.yml is located.
docker-compose up -d
Configuration options
The following parametres should be configured in “values.yaml” file:
service:
type: NodePort
ports:
keycloak:
nodePort: ""
port: 8080
targetPort: 8080
containerPort: 8080
protocol: TCP
Developer guide
License
Keycloak is licensed under Apache License Version 2.0.