User Administration on SSL Keycloak (since FUT-I 2023.5)

SSL Keycloak is an identity provider for SSL users in the eHealth infrastructure.

Each SSL Organization in the eHealth infrastructure will have a realm in SSL Keycloak. Administrators can manage users on these realms.

Managing Users

This section is a guide for administrators. In this guide we will use Trifork as an example SSL Organization.

Prerequisites:

  • a realm on SSL Keycloak called trifork

  • an admin user on the trifork-realm: trifork_admin

To log in to the administration console go to ssl-login.<base-url>/auth/admin/trifork/console. Note that the name of the realm is part of the URL. Enter the credentials and click Log in.

On the Users page, administrators are able to view, search for, add, edit, and delete users.

To add a new user, click on Add user.

 

Fill out the Add user form with Username, Email, First Name, and Last Name. Click Create.

 

 

 

The user has been created. Now we need to set up the users credentials. Click on the Credentials tab.

 

 

There are two options for configuring credentials. Either create a temporary password, or let SSL Keycloak take care of it by sending an email to the newly created user. We recommend the last option. Click on Credential Reset.

 

In the Credential Reset dialog, select Verify Email, and Update Password in the Reset Actions input field. Set expiry to the desired amount. Click on Send email.

 

A pop-up confirms that the email was sent.

 

Now we need to configure the privileges of the user. Click on the Attributes tab.

 

Click on Add an attribute. In the form, add dk:gov:saml:attribute:Privileges_intermediate in the key field, and a Base 64 encoded OIO Basic Privilege Profile XML document in the value is field. Click Save.

A pop-up confirms that the user has been saved.

 

That’s it. The user is now fully configured, and can be found on the Users page.

 

The user has “not verified“ icon next to the email, until the users has verified their email and set a password.

 

Update Password

When the administrator has added a user, and performed the credential reset step, the user receives an email. The user must then follow the link before it expires.

Click on the 'Click here to proceed' link.

 

Enter and confirm a new password and click Submit.

 

The user has now reset their password, and are now able to login.

 

User login

To log in as a SSL user in the eHealth infrastructure, one must use the ssl-realm on FUT Keycloak. There will be an option for each SSL Organization in the eHealth infrastructure. Click on the desired SSL Organization.

 

Fut Keycloak redirects to SSL Keycloak where the user can enter their credentials to log in.