Manual integration with the Identity Service
caution
This is internal documentation. This document can be used only if it was recommended by the Support Team.
Prerequisites
- There is an account in the platform to connect to the Deploy instance (https://demoaccount.staging.digital.ai)
- There is an admin user (role
account-admin) in the account that can be used to configure the Deploy client (contact Kraken team)
1. Adding the Deploy client
- Log into the Identity Service account you want to connect to Deploy using an admin user for that account
- Go to Admin > Clients > Add OIDC Client
- Give the client a name (e.g. deploy)
- Scroll down to “Valid Redirect URIs” and add
<deploy url>/login/external-login
- Save the client
2. Configuring Deploy
In CR file disable Keycloak and update OIDC properties:
oidc:
enabled: true
clientId: "<client_id>"
clientSecret: "<client secret>"
external: true
issuer: "https://identity.staging.digital.ai/auth/realms/demoaccount"
redirectUri: "<deploy url>/login/external-login"
postLogoutRedirectUri: "<deploy url>/login/external-login"
rolesClaimName: "realm_access.roles"
userNameClaimName: preferred_username
scopes: ["openid"]
To find the client id and secret, edit the Deploy client created above, scroll down to the Credentials section, and copy the values from there.
issuer can be found in the Identity Service Client section, in OIDC config that can be downloaded from there.
To check rolesClaimName value, decode the ID token. Here you can find how to fetch token. Use jwt to decode ID token. Get the roles path from decoded value - this is rolesClaimName.
3. Deploy XLD
- Deploy XLD and navigate to the Deploy site in the browser. Log in with
adminuser and add the role(s) from the Identity Service user to XLD as a principal. For example, if you are using user withaccount-adminrole, this role should be added as principal. - Go to Global permissions in XLD and give needed permissions. For admin it will be
adminandloginpermissions. - Log in to the XLD with user from the Identity Service.