Keycloak Administrator guide
Access to Keycloak administration console
To access the administration console you need to go to base_url/auth and select "Administration console". It will ask you to enter the credentials of a Keycloak administrator account. If no administrator account exists, you will see a form where you will be able to create it.
Users
Create a new account
Since Gazelle User Management step 2, it's no longer possible to create a new account from Gazelle Test Management.
You need to go to the admin console interface of Keycloak to perform this action.
Go to the admin console in the user management section
Click on Add user button and fill the form
Submit the form.
The user will receive an email to set its password. The new user is enabled by default.
The new user must accept the terms of use before being able to log in.
If you want to switch the organization of the user, you can do it from the admin console by editing the user. It can be done from Gazelle TM too.
If you want to add roles to the user, you can do it from the admin console by editing the user. It can be done from Gazelle TM too.
Search a user
You can search users by their username or email. If you want to see all users, search for "*". Click on the user username to see more details.
Update password of a user
If you want to update the password of a user, go to the "credentials" tab. Click on set password and you will see this :
Gazelle groups
A Gazelle user can have different groups.
Some of these groups are static, we called them roles :
role:gazelle_admin - Gazelle administrator with all permissions.
role:project_admin - Gazelle administrator at project level
role:monitor - Gazelle monitor that can be affected to a testing session as a monitor in TM.
role:testing_session_manager - Manage a testing session.
role:late_registration - Authorized to register some systems after the limit date.
role:test_designer - Test designer
role:sut_operator - Test participant (default role)
Some other groups are dynamic like organization membership
org:KEREVAL - Member of the organization KEREVAL
org-adm:KEREVAL - Administrator of the organization KEREVAL
The groups are associated to Keycloak realm roles. They are created if they don't exist when users are retrieved.
When using CAS authentication protocol, the roles are defined in Keycloak user attributes in order to be given the correct format in the token.
Give access to admin console to a Gazelle User
It's possible to give the permissions to access the admin console to a Gazelle User.
To do this, you need to be able to manage users in the admin console.
Go to the admin console in the user management section
Select the user you want to give access to the admin console and go to the role mapping tab
Click on Assign role and select "Filter by clients".
Select the following roles and assign them to the user :
[realm-management] query-realms[realm-management] query-users[realm-management] query-groups[realm-management] manage-users[realm-management] view-events
Click on Add selected roles
The user can now access the admin console by browsing the following URL : https://${FQDN}/auth/admin/gazelle/console
Status of Gazelle accounts
A Gazelle account can be in different states.
Inactive
The default status after an account creation. The user can't log in.
There are 2 possibilities :
The new user created its own organization. He will receive an email with a link to activate his account.
The new user ask to join an organization. He will receive an email saying that he must wait until his account is activated by an admin.
Temporarily locked
If a user account is temporarily blocked due to too many failed login attempt, you can unblock it by going on the "Details" tab and untoggle the "Temporarily locked" option.
This is a keycloak automatism for a brute force protection.
See brute-force-security section for more information about the configuration of this protection.
The validation of the email for each user is currently not supported by GUM.
Groups
In this section you will be able to search groups.
Each organization is a group in Gazelle User Management :
The name of the group is the keyword of the organization
The id of the group is the hash of the keyword of the organization prefixed by "org:"
Events
In this section you will be able to see all the events logged by keycloak like a login, a login error or a logout.
Here are the user events :
In the "Event listeners" tab, you can configure which event listeners you want to use, if there is any. If you want to add a new event listener see here.
In the "User/Admin events settings", you can configure the management of the different events.
Sessions
It is possible to see all active sessions from user logged in registered clients in the "Sessions" tab.
Session expiration
There is a custom Gazelle implementation regarding session expirations. The default Keycloak implementation doesn't manage expirations of the sessions (Server and Client sides).
The CAS server provides expiration information in the ticket delivered to the client. authentication_timestamp and ticket_session_max_duration_seconds data will give to the client the possibility to check if the session is still valid. In case of expiration, the client will invalidate its session in order to force a renewal of the ticket.
When the maximum duration of a session is reached, (few hours) the client will not be able to renew its ticket and will be redirected to the CAS login page.
To limit the possibility of de-synchronization between session of the CAS server and the client, the ClientSessionIdleTimeout configuration of Keycloak must be lower than the SSOSessionIdleTimeout.
Here you can find the default configuration of the timeout session (extract from the realm settings) :
ssoSessionIdleTimeout : 40 minutes
ssoSessionMaxLifespan : 12 hours
clientSessionIdleTimeout : 20 minutes
clientSessionMaxLifespan : 12 hours
These configuration can be changed in the realm settings like below :
WARNING : It is not possible to set specific timeout for specific identity provider. If an identity provider is set up on a platform, and it has a lower session timeout (lets say 5min), the most restrictive configuration must be used as the global realm settings. So the clientSessionIdleTimeout shall be set to 5min in the previous example.
Realm settings
Email
In this tab, you will be able to configure the email template (sender, sender display name, reply to, ...).
You can also edit the smtp configuration to make Keycloak use your smtp server.
Themes
In this tab, you will be able to choose which theme you want to use for the login, the account, the admin UI and for emails. As of today, only the login page and the emails have custom gazelle themes and are configured to use them by default.
For more info on how create and use your own custom theme, see here.
Security defenses
Brute force Detection
The brute force detection in the gazelle realm has the following settings:
Permanent Lockout: false
Max Login Failures: 5
Wait increment: 1 minute
Quick login check: 1 second
Minimum quick login wait: 1 minute
Failure Reset Time : 12 hours
Minimum Quick Login Wait: 1 minute
The way this works is that if there are Max Login Failures during a period of Failure Reset Time, the account is temporarily disabled for the Wait Increment multiplied by the number of failures over the max. After Failure Reset Time is reached all failures are wiped clean. The Max Wait is the maximum amount of time an account can be disabled. Another preventive measure is that if there are subsequent login failures for one account that are too quick for a human to initiate the account will be disabled. This is controlled by the Quick Login Check value. So, if there are two login failures for the same account within that value, the account will be disabled for Minimum Quick Login Wait.
This configuration is accessible in Realm Settings -> Security Defenses -> Brute Force Detection.
References
Last updated
