Skip to content

Configuring Other Identity Providers

SEAL Systems products use Keycloak as standard identity provider. Keycloak contains various client configurations for PLOSSYS 5 and SEAL Operator/SEAL Print Client.

If you prefer to use a different identity provider, you have to configure your identity provider for working with SEAL Systems products.

Configuring Your Identity Provider

  1. Add the following client configurations to your identity provider:

    1. easyPRIMA

      An easyPRIMA client entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users

      Default client ID: seal-easyprima

    2. PLOSSYS Administrator

      A PLOSSYS Administrator client entry to support OAuth 2.0 Authorization Code Grant in handling the authentication of users

      Default client ID: seal-plossysadmin

    3. PLOSSYS CLI

      A PLOSSYS CLI entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users

      Default client ID: seal-plossyscli

    4. PLOSSYS DocPrint

      A PLOSSYS DocPrint client entry to support OAuth 2.0 Authorization Password Grant in handling the authentication of users

      Default client ID: seal-mobile-print

    5. PLOSSYS Infoclient

      A PLOSSYS Infoclient client entry to support OAuth 2.0 Client Credentials Grant in handling the service to service authentication between PLOSSYS Infoclient and the PLOSSYS 5 notification service on the server side

      Default client ID: seal-infoclient

    6. SEAL OP-CLI

      A SEAL OP-CLI client entry to support OAuth 2.0 Authorization Password Grant and Authorization Code Grant in handling the authentication of users

      Default client ID: seal-opcli

    7. SEAL Operator

      A SEAL Operator client entry to support OAuth 2.0 Client Credentials Grant in handling the service to service authentication between the SEAL Operator/SEAL Print Client services on server side

      Default client ID: operator

    8. SEAL Operator/SEAL Print Client

      A SEAL Operator/SEAL Print Client entry to support OAuth 2.0 Authorization Code Grant in handling the authentication of users

      Default client ID: seal-print-client

  2. Download the signing certificate from the identity provider and save it as a file.

    Caution - different certificate

    This certificate usually differs from the certificate used for secure TLS connections. Therefore you have to use a different name.

  3. Provide the following data to set up SEAL Operator/SEAL Print Client and PLOSSYS 5 clients:

    • signing certificate
    • issuer name
    • all client id's
    • all client secrets

    Usually this part of the configuration is done in the form of environment variables on the client side. For details on this, see the appropriate client documentation.

Example Configuration of an IDP

Example - Configuring an IDP using the Example of SEAL Operator/SEAL Print Client

  1. Export the SEAL Operator/SEAL Print Client configuration into a file.

  2. Find the section associated with all SEAL Operator/SEAL Print Client services and configure the following keys for the certificate and the Client Credentials grant:

    env:
  service:
    any:
      tag:
        any:
          ...
          ID_PROVIDER_NAME: <iss property in idp>
          ID_PROVIDER_CERT: <path_and_filename of idp signing certificate>
          AUTH_CLIENT_ID: <Operator client_id_used in idp>
          AUTH_CLIENT_SECRET: <Operator client_secret generated by idp>
          AUTH_TOKEN_ENDPOINT: <token_endpoint_url of idp>
          ...

    For further information about the ID_PROVIDER_NAME entry, see Background Knowledge below.

  3. In the section for the operator-ui service, configure the following keys for the Authorization Code grant:

    env:
  service:
    ...
    operator-ui:
      tag:
        any:
        ...
          AUTH_ISSUER_URL: <idp url>
          AUTH_CLIENT_ID: <SEAL Operator/SEAL Print Client client_id used in idp>
        ...

    Literature - keys

    For further information about the keys, refer to the appropriate product documentation.

Background Knowledge

JSON Web Token

The clients receive the user's identity encoded in a secure JSON Web Token (JWT), called ID token. The ID token is issued by the identity server, e. g. Keycloak, and obtained via standard OAuth 2.0 Code Flow supporting Web applications.

For example, a JWT contains:

{
  "name": "hugo",
  "preferred_username": "Hugo",
  "given_name": "Hugo",
  "family_name": "",
  "email": "hugo@sealsystems.de",
  "iat": 1546860576,
  "exp": 1572780576,
  "iss": "https://<server_name>:32769/realms/seal-operator",
  "sub": "hugos-id"
}

Relationship Between the Settings

The issuer property (iss) in the ID token is a unique name created by the identity provider. Its value is an arbitrary string, which differs for each identity provider and has to be determined individually.

If you use Keycloak as identity provider, the value contains the URL by which the service can be accessed over the network. Therefore, the value in the example above will change, if the service is accessed from a different device than localhost.

Caution - identical configurations

For security reasons, the ID_PROVIDER_NAME configuration in the above example must be identical to the iss entry in the ID token and has to be configured appropriatley.

The AUTH_ISSUER_URL contains a URL pointing to the address by which the identity server can be accessed over the network.

If you use Keycloak as identity provider, the value in AUTH_ISSUER_URL is identical to the one in ID_PROVIDER_NAME.

Back to top