What is a digital twin? Core industries Digital Twins Across the Industrial Lifecycle

Digital Twin Software Universal Digital Twin Hub - UDiTH Functions Use Cases Apps Other Tools 3D Symbol Designer SpecXpert UniversalReporter UniversalPlantViewer (UPV)

Using federated accounts

You can set up the UDiTH Portal account management to be linked with an external authentication provider like f.e. ADFS using one of the different authentication protocols supported by Keycloak. This will delegate the authentication to the referenced identity provider.

This document shows the configuration process on based on the example of Microsoft Azure.

Basic configuration

1) Create a new Identity provider entry in the Keycloak administration UI

Select the application realm (default: uws)
Go to Configure/Identity providers
Add new User-defined provider: OpenID Connect v1.0

Field	Description
Alias	Identifies the provider - Can be set freely
Discovery endpoint	Path to the .well-known/openid-configuration - f.e. for Azure ADFS: `https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration`
Client ID	Obtained in Azure app registration
Client Secret	Can be generated in Azure app registration at Manage/Certificates & secrets
Advanced/Backchannel logout (optional)	Recommended to be set to true This ensures when logging out of UWS, it will not log out of the Identity provider as well

2) Set up a new App registration in Microsoft Azure Redirect URI: Can be copied from the Keycloak registrations first field entry - for example http://localhost:8080/realms/uws/broker/oidc/endpoint

3) Configure API permissions Add email, openid, profile and User.Read as Graph permissions

4) Try login in to the UWS There should now be a new login option in the Keycloak login mask

Additional configuration options

Use group synchronization

Allow UDiTH Portal to extract user groups from external provider. The user groups will be synchronized when restarting the UWS or calling ForceRefresh in the Admin UI.

Create the groups to be synchronized in UDiTH Portal at ../administration/groups Assign the Group guid found in the Azure Portal to the new group. The group connection is established using the guid value.

Allow requesting the group claim in the azure portal:

On the Token Configuration page

add an additional groups claim

Relevant for Keycloak major version 25+:

Create the “groups” attribute as unmanaged attributes are no longer allowed by default. For this go to Realm Settings / User profile Create Attribute called groups here.

In the Keycloak Identity provider settings add a new entry at Mappers. This will transmit the information of the groups claim to the users attribute field. The UWS expects the attribute to be set as User attribute name with value groups. If your Identity providers group claim name differs from this convention, you can define the necessary Claim name in this mapper. Please note the Claim is case-sensitive.

Sync mode: Defines when the mapper is executed

Options:

Force: Updates on every login (recommended)
Import: Updates only when the user is initially created in Keycloak

Import roles

You can use a new Mappers entry for this as well.

This is done using the Claim to Role mapper.

Metadata customization

You can use a new Mappers entry for this as well.

This is done by providing the desired User attributes. Relevant predefined mappers for this use case would be Attribute Importer and Hardcoded Attribute. So f.e. when providing a user attribute named email, this will correspond to the users email entry.

Keycloak claims:

username
firstName
lastName
email
emailVerified (seems not to work at the moment)

Troubleshooting

You can use following keycloak start command to enable logging of user claims on login:

kc.bat start --log-level="INFO,org.keycloak.social.user_profile_dump:debug"