TABLE OF CONTENTS
First-Time Access
After having the IAM application deployed, a root user is created with the credentials defined in the Replicated Panel.
We use this root user to apply the configuration to the application, although you can log in to the admin console using this user, we strongly recommend creating a specific user for your administrative tasks. Issues to this root user might cause irreversible damages to the application.
The username is visible through the option “Show IAM Admin Username” and the password was set during the first installation and can be found in the option “IAM Admin Password”.
If, in any case, the IAM Admin Password was generated and not set, you can retrieve it with the following kubectl command:
kubectl get secrets/keycloak-secret -n YOUR_NAMESPACE_NAME --template={{.data.KEYCLOAK_ADMIN_PASSWORD}} | base64 --decode
With that is possible to retrieve the password and log in as the root superuser.
In the following, you find the procedure for creating administrative users.
Exposing the Admin Panel
In the replicated panel, select the option “Expose IAM Admin Resources”, save the configuration, and deploy the application.
As good practice, if the IAM Admin Panel is not always enabled on your environment, always disable the web interface after performing your actions.
Accessing the Admin Panel
After the initialization of the new deployment, the admin panel is available through the URL:
https://account.{on-prem-domain}/admin/master/console/
Note: The login page for the admin panel does not offer options for registrations as you need to use the Replicated panel.
Adding the First Admin User
Make sure that you are in the Master realm (top left menu), then go to the Users section and click on Add user button.
Provide the User information and username of your choice (labforward_admin is just an example in the following screenshot) and then click the Create button. The username can be an email address, for example.
After the user is created, click on the Credentials tab on the top, set the password, and confirm it. Make sure the Temporary button is disabled (also make sure that the password is complex enough for the admin user).
Then on the Role Mapping section at the top, select Assign role for assigning the Admin roles to the user.
In the dropdown menu, select Filter by clients, and filter with labforward-realm. Assign the following roles:
1 manage-realm 2 manage-users 3 view-clients 4 view-events 5 view-realm 6 view-users 7 manage-identity-providers 8 view-identity-providers
If the user is desired to use the “impersonate” functionality on keycloak, there is also the following permission impersonation that needs to be added to the list.
Now you can log out and access the admin panel using the username and password of the admin user that you created. From this point, it is better to access the admin panel only with the freshly created admin user.
Change Password
In case an administrative user needs to change their password, there are two ways of performing this action:
When logged in with the administrative user, navigate to the Manage Account section, and change your password there. It is necessary to re-authenticate after the action.
After clicking on Manage Account, you are redirected to IAM, where you need to navigate to Settings and click on the button CHANGE under the paragraph Password.
2. The second option is changing the user's password when logged in with the root user. Even though this is possible, we recommend the first option.
Managing Users
In this section, you can view all users by searching “*” or find users by their email addresses.
An admin can also click on the user's id in the table to edit the existing user information. This section has different tabs to edit different kinds of information related to the user.
Using the Add user button at the top of the table admin can create a user in IAM.
For customers using LDAP, the admin should not add a user using this feature because that user won’t be propagated to LDAP. LDAP users will automatically be imported on the first login.
Please do not use the Delete button in this table for deleting users, if you want to disable the user you can click on its id and change the status of the User Enabled button to off.
Even though it is possible to create a user from the Admin Panel, this action is not recommended to be used as the product pages usually offer the registration option for users.
For adding a new User, you can fill in information for the user and click the save button. Please also specify the attribute locale for the newly created user when adding it from the admin panel.
After clicking the save button, more tabs will be visible, and you can specify more information for the user.
Users Menu
Details
In this tab, the admin can specify the main attributes of the users.
User Enabled | User Temporarily Locked | Email Verified | Required Actions |
Define if the user can log in (use this for suspicious users that you do not want to delete their account but disable them) | This field status will be On when there are wrong login attempts for the user. | Specify If the email for the user is verified or not. | Should not be used by the admin
|
Attributes
Once you set the locale in the previous tab (Details Tab), all Attributes will be available for the user in this tab. Here are the Attributes that can be set for the users:
contact_detail | locale | phone | position | profile_hash | timezone | title |
Contact information for the User | The language that will be used for the user. Accepted values:
| The phone number for the User | Position of the User within the company | Related to the User photo(should not be edited by the admin) | See available values in Appendix 1 | Title for the user. For example: Dr. |
Credentials
When adding new users in the admin panel, you can set a password for the user and confirm it in the password confirmation. It is recommended to keep the temporary button ON. In that case, when a user logs in using this temporary password for the first time, they will be prompted to change it. Existing users can always reset or change their password themselves, so do not use this option for existing users.
Role Mapping
This Section should not be used by the admin.
Groups
This tab should not be used by the admin.
Consents
This tab should not be used by the admin.
Sessions
In this tab, the admin can see all the sessions for the user. The admin can click the Logout button in the action column to invalidate that session and log out the user. Admins also can use the Log out all sessions button at the top of the table to log out users from all sessions.
Identity Provider Links
Should not be used by the admin.
Sessions Menu
Realm Sessions
In this tab, the admin can see all the active and offline sessions for each client. You can also click on each client to see all the available sessions for that client. The “Sign out all active sessions” button at the top right of the page will log out all users and will invalidate all the sessions.
Events Menu
User Events
In this tab, the admin can observe all the login events related to the users in the application.
Using the Search event functionality at the top of the table admin can also filter the events by type, client, and date to show specific events.
Admin Events
Should not be used by the admin.
Realm Settings Menu
Tokens
In this tab, admins can update the durations of the tokens. The documentation for the tokens can be found on the tooltips when you hover over the questionmark icons.
Identity Providers Menu
In this section, you can configure the identity provider of your choice:
Click on Add Provider and choose the identity provider type you want to add, then you can apply configuration for the selected identity provider. You can follow Keycloak documentation for a detailed description of the configuration.
We have already provided documentation for specific IDPs like Google, Microsoft Azure AD, and Shibboleth. Please refer to those documents for the configuration details.
- Google and Microsoft: Setting up Identity Providers in IAM (OpenID)
- Shibboleth: Shibboleth as IDP (SAML v2.0)
Appendix 1: Available Timezones
Asia/Aden America/Cuiaba Africa/Nairobi America/Marigot Asia/Aqtau Pacific/Kwajalein America/El_Salvador Asia/Pontianak Africa/Cairo Pacific/Pago_Pago Africa/Mbabane Asia/Kuching Pacific/Honolulu Pacific/Rarotonga America/Guatemala Australia/Hobart Europe/London America/Belize America/Panama Asia/Chungking America/Managua America/Indiana/Petersburg Asia/Yerevan Europe/Brussels Europe/Warsaw America/Chicago Asia/Kashgar Chile/Continental Pacific/Yap Europe/Jersey America/Tegucigalpa Europe/Istanbul America/Eirunepe America/Miquelon Europe/Luxembourg America/Argentina/Catamarca Europe/Zaporozhye Canada/Yukon Canada/Atlantic Atlantic/St_Helena Australia/Tasmania Europe/Guernsey America/Grand_Turk US/Pacific-New Asia/Samarkand America/Argentina/Cordoba Asia/Phnom_Penh Africa/Kigali Asia/Almaty US/Alaska Asia/Dubai Europe/Isle_of_Man America/Araguaina Asia/Novosibirsk America/Argentina/Salta Africa/Tunis Pacific/Fakaofo Africa/Tripoli Africa/Banjul Indian/Comoro Pacific/Port_Moresby US/Arizona Antarctica/Syowa Indian/Reunion Pacific/Palau Europe/Kaliningrad America/Montevideo Africa/Windhoek Asia/Karachi Africa/Mogadishu Australia/Perth Brazil/East Asia/Chita Pacific/Easter Antarctica/Davis Antarctica/McMurdo Asia/Macao America/Manaus Africa/Freetown Europe/Bucharest Asia/Tomsk America/Argentina/Mendoza Asia/Macau Europe/Malta Mexico/BajaSur Pacific/Tahiti Africa/Asmera Europe/Busingen America/Argentina/Rio_Gallegos Africa/Malabo Europe/Skopje America/Catamarca America/Godthab Europe/Sarajevo Australia/ACT Africa/Lagos America/Cordoba Europe/Rome Asia/Dacca Indian/Mauritius Pacific/Samoa America/Regina America/Fort_Wayne America/Dawson_Creek Africa/Algiers Europe/Mariehamn America/St_Johns America/St_Thomas Europe/Zurich America/Anguilla Asia/Dili America/Denver Africa/Bamako Europe/Saratov Mexico/General Pacific/Wallis Europe/Gibraltar Africa/Conakry Africa/Lubumbashi Asia/Istanbul America/Havana Asia/Choibalsan America/Porto_Acre Asia/Omsk Europe/Vaduz US/Michigan Asia/Dhaka America/Barbados Europe/Tiraspol Atlantic/Cape_Verde Asia/Yekaterinburg America/Louisville Pacific/Johnston Pacific/Chatham Europe/Ljubljana America/Sao_Paulo Asia/Jayapura America/Curacao Asia/Dushanbe America/Guyana America/Guayaquil America/Martinique Europe/Berlin Europe/Moscow Europe/Chisinau America/Puerto_Rico America/Rankin_Inlet Pacific/Ponape Europe/Stockholm Europe/Budapest America/Argentina/Jujuy Australia/Eucla Asia/Shanghai Europe/Zagreb America/Port_of_Spain Europe/Helsinki Asia/Beirut Asia/Tel_Aviv Pacific/Bougainville US/Central Africa/Sao_Tome Indian/Chagos America/Cayenne Asia/Yakutsk Pacific/Galapagos Australia/North Europe/Paris Africa/Ndjamena Pacific/Fiji America/Rainy_River Indian/Maldives Australia/Yancowinna | Asia/Oral America/Yellowknife Pacific/Enderbury America/Juneau Australia/Victoria America/Indiana/Vevay Asia/Tashkent Asia/Jakarta Africa/Ceuta Asia/Barnaul America/Recife America/Buenos_Aires America/Noronha America/Swift_Current Australia/Adelaide America/Metlakatla Africa/Djibouti America/Paramaribo Europe/Simferopol Europe/Sofia Africa/Nouakchott Europe/Prague America/Indiana/Vincennes Antarctica/Mawson America/Kralendijk Antarctica/Troll Europe/Samara Indian/Christmas America/Antigua Pacific/Gambier America/Indianapolis America/Inuvik America/Iqaluit Pacific/Funafuti Antarctica/Macquarie Canada/Pacific America/Moncton Africa/Gaborone Pacific/Chuuk Asia/Pyongyang America/St_Vincent Asia/Gaza Atlantic/Faeroe Asia/Qyzylorda Canada/Newfoundland America/Kentucky/Louisville America/Yakutat Asia/Ho_Chi_Minh Antarctica/Casey Europe/Copenhagen Africa/Asmara Atlantic/Azores Europe/Vienna Pacific/Pitcairn America/Mazatlan Australia/Queensland Pacific/Nauru Europe/Tirane Asia/Kolkata Australia/Canberra Australia/Broken_Hill Europe/Riga America/Dominica Africa/Abidjan America/Mendoza America/Santarem America/Asuncion Asia/Ulan_Bator America/Boise Australia/Currie Pacific/Guam Pacific/Wake Atlantic/Bermuda America/Costa_Rica America/Dawson Asia/Chongqing Europe/Amsterdam America/Indiana/Knox America/North_Dakota/Beulah Africa/Accra Atlantic/Faroe Mexico/BajaNorte America/Maceio Pacific/Apia America/Atka Pacific/Niue Australia/Lord_Howe Europe/Dublin Pacific/Truk America/Monterrey America/Nassau America/Jamaica Asia/Bishkek America/Atikokan Atlantic/Stanley Australia/NSW US/Hawaii Indian/Mahe Asia/Aqtobe America/Sitka Asia/Vladivostok Africa/Libreville Africa/Maputo America/Kentucky/Monticello Africa/El_Aaiun Africa/Ouagadougou America/Coral_Harbour Pacific/Marquesas Brazil/West America/Aruba America/North_Dakota/Center America/Cayman Asia/Ulaanbaatar Asia/Baghdad Europe/San_Marino America/Indiana/Tell_City America/Tijuana Pacific/Saipan Africa/Douala America/Chihuahua America/Ojinaga Asia/Hovd America/Anchorage Chile/EasterIsland America/Halifax Antarctica/Rothera America/Indiana/Indianapolis US/Mountain Asia/Damascus America/Argentina/San_Luis America/Santiago Asia/Baku America/Argentina/Ushuaia Atlantic/Reykjavik Africa/Brazzaville Africa/Porto-Novo America/La_Paz Antarctica/DumontDUrville Asia/Taipei Antarctica/South_Pole Asia/Manila Asia/Bangkok Africa/Dar_es_Salaam Atlantic/Madeira Antarctica/Palmer America/Thunder_Bay Africa/Addis_Ababa Asia/Yangon Europe/Uzhgorod Brazil/DeNoronha Asia/Ashkhabad America/Indiana/Marengo America/Creston America/Punta_Arenas America/Mexico_City Antarctica/Vostok Asia/Jerusalem Europe/Andorra US/Samoa Asia/Vientiane Pacific/Kiritimati America/Matamoros America/Blanc-Sablon Asia/Riyadh Pacific/Pohnpei Asia/Ujung_Pandang Atlantic/South_Georgia Europe/Lisbon Asia/Harbin Europe/Oslo Asia/Novokuznetsk Atlantic/Canary | America/Knox_IN Asia/Kuwait Pacific/Efate Africa/Lome America/Bogota America/Menominee America/Adak Pacific/Norfolk Europe/Kirov America/Resolute Pacific/Tarawa Africa/Kampala Asia/Krasnoyarsk America/Edmonton Europe/Podgorica Australia/South Canada/Central Africa/Bujumbura America/Santo_Domingo US/Eastern Europe/Minsk Pacific/Auckland Africa/Casablanca America/Glace_Bay Canada/Eastern Asia/Qatar Europe/Kiev Asia/Magadan America/Port-au-Prince Europe/Belfast America/St_Barthelemy Asia/Ashgabat Africa/Luanda America/Nipigon Atlantic/Jan_Mayen Brazil/Acre Asia/Muscat Asia/Bahrain Europe/Vilnius America/Fortaleza US/East-Indiana America/Hermosillo America/Cancun Africa/Maseru Pacific/Kosrae Africa/Kinshasa Asia/Kathmandu Asia/Seoul Australia/Sydney America/Lima Australia/LHI America/St_Lucia Europe/Madrid America/Bahia_Banderas America/Montserrat Asia/Brunei America/Santa_Isabel Canada/Mountain America/Cambridge_Bay Asia/Colombo Australia/West Indian/Antananarivo Australia/Brisbane Indian/Mayotte US/Indiana-Starke Asia/Urumqi US/Aleutian Europe/Volgograd America/Lower_Princes America/Vancouver Africa/Blantyre America/Rio_Branco America/Danmarkshavn America/Detroit America/Thule Africa/Lusaka Asia/Hong_Kong America/Argentina/La_Rioja Africa/Dakar America/Tortola America/Porto_Velho Asia/Sakhalin America/Scoresbysund Asia/Kamchatka Asia/Thimbu Africa/Harare America/Nome Europe/Tallinn Africa/Khartoum Africa/Johannesburg Africa/Bangui Europe/Belgrade Africa/Bissau Asia/Tehran Europe/Astrakhan Africa/Juba America/Campo_Grande America/Belem Asia/Saigon America/Ensenada Pacific/Midway America/Jujuy Africa/Timbuktu America/Bahia America/Goose_Bay America/Virgin America/Pangnirtung Asia/Katmandu America/Phoenix Africa/Niamey America/Whitehorse Pacific/Noumea Asia/Tbilisi America/Montreal Asia/Makassar America/Argentina/San_Juan Asia/Nicosia America/Indiana/Winamac America/Argentina/ComodRivadavia America/Boa_Vista America/Grenada Asia/Atyrau Australia/Darwin Asia/Khandyga Asia/Kuala_Lumpur Asia/Famagusta Asia/Thimphu Asia/Rangoon Europe/Bratislava Asia/Calcutta America/Argentina/Tucuman Asia/Kabul Indian/Cocos Pacific/Tongatapu America/New_York Europe/Ulyanovsk America/Merida America/Rosario Canada/Saskatchewan America/St_Kitts Arctic/Longyearbyen America/Fort_Nelson America/Caracas America/Guadeloupe Asia/Hebron Indian/Kerguelen Africa/Monrovia Asia/Ust-Nera Asia/Srednekolymsk America/North_Dakota/New_Salem Asia/Anadyr Australia/Melbourne Asia/Irkutsk America/Shiprock America/Winnipeg Europe/Vatican Asia/Amman Asia/Tokyo America/Toronto Asia/Singapore Australia/Lindeman America/Los_Angeles Pacific/Majuro America/Argentina/Buenos_Aires Europe/Nicosia Pacific/Guadalcanal Europe/Athens US/Pacific Europe/Monaco |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article