Keycloak

Using the con terra Technologies Identity Service, map.apps can delegate the authentication of users to Keycloak . This means that a user can log in to map.apps with an account managed by Keycloak.

Using Keycloak creates the following possibilities:

  • Assignment of roles for the use of map.apps Manager

  • Protection of apps

  • Protection of tools

Using Keycloak has the following limitations:

  • Apps exported with the app export for native apps do not support the authentication. Apps with anonymous access are still supported.

Create connection between map.apps and Keycloak

Connecting map.apps with Keycloak is done in several steps.

Step 1: Install and configure the Identity Service

In this step you will install and configure the Identity Service as a separate web application. Follow these steps of the Identity Service documentation:

  1. Install the Identity Service.

  2. Connect the Identity Service to Keycloak.

  3. If map.apps and Identity Service are not made available via the same hostname, adapt the configuration according to the documentation for operating different hostnames under one domain.

  4. Configure services, which require access tokens, as trusted services at the Identity Service.

Step 2: Configure map.apps

To enable authentication delegation, add or replace the following parameters in the global configuration:

Configuration example
security.mode=IDENTITY
security.login.base=https://identityservice.example.com/identity
security.mode

The IDENTITY value specifies that authentication should be delegated via the Identity Service.

security.login.base

Base URL of the Identity Service.

Allow App Overview only for logged in users

To allow only people with a valid login to access the map.apps app overview, set the following configuration:

# this is used to specify the protected resource paths (which require authentication before use)
# add '/,/*.html' to protect the index.html
security.application.protectedResources=/,/*.html

Step 3: Customize role assignment

map.apps grants access to protected resources depending on roles to which a user is assigned. For example, only users assigned to the maAdmin role can access the map.apps Manager. Additionally, you can make the visibility of apps or tools dependent on specific roles.

The assignment of roles to users is performed by the Identity Service based on role assignments in Keycloak. In the documentation on role assignment in the Identity Service, you can find more information about how the Identity Service translates roles from Keycloak into roles for map.apps.

Verify the role assignment in the Identity Service or Keycloak and adjust it if necessary so that at least one user has the maAdmin role. This ensures that you can log in to the map.apps Manager with this user.

Configure your apps

To control access to an app, select the authorized roles in the settings in map.apps manager.

If you want to display user profile information in an app, add the bundle authentication to that app. This will also provide an option to logout.