Integrating an Identity Provider

yuuvis® RAD 10.x

For authentication purposes, identity providers like Keycloak and Azure AD/Entra ID can be connected to yuuvis® RAD gateway using OpenID Connect/OAuth2.

When yuuvis® RAD service-manager is installed, the profile files gateway-azure.yml and gateway-keycloak.yml are installed in the \config directory.

These profiles must be configured for the corresponding integration and integrated via the servicewatcher-sw.yml file.

You need to restart yuuvis® RAD gateway after configuring and integrating the profiles.

The Change password function is not available when integrating an identity provider in yuuvis® RAD client.

Profile Files

You need the corresponding configurations of the identity providers in order to configure the profiles. In particular, you need a client ID and client secret to access the identity providers.

OAuth2 authentication is activated in the profile files via the authentication.filter.oauth2 parameter.

Azure AD/Entra ID

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          user-name-attribute: name
          issuer-uri: https://login.microsoftonline.com/<tenant-ID>/v2.0
      client:
        registration:
          azure:
            provider: azure
            client-id: <client-ID>
            client-secret: <client secret>
            scope:
              - openid
              - email
        provider:
          azure:
            issuer-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}
            user-name-attribute: ${spring.security.oauth2.resourceserver.jwt.user-name-attribute}
                                                            

See the developer documentation for information on configuring Azure AD/Entra ID.

Keycloak

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          user-name-attribute: name
          issuer-uri: http://<host>:<port>/realms/<realm>
      client:
        registration:
          keycloak:
            provider: keycloak
            client-id: <client-ID>
            client-secret: <client-secret>
            scope:
              - openid
              - email
        provider:
          keycloak:
            issuer-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}
            user-name-attribute: ${spring.security.oauth2.resourceserver.jwt.user-name-attribute}
                                                            

Integration of the Profiles

Profiles are assigned to the 'gateway' service via the profiles parameter in the servicewatcher-sw.yml file.

Add the correspondingly configured profile to the list of assigned profiles at the last position.

Example:

- name: gateway
  type: microservice
  profiles: prod,cloud,red,azure
  instances: 1
  memory: 256M
  port: 80
  path: ${appBase}/gateway/gateway-app.jar
                                                            

Configuration for yuuvis® RAD agent

If yuuvis® RAD agent is used in environments with Identity Provider and OpenID Connect/OAuth2, installation requires that you make a corresponding entry in the connections.json configuration file and set up an additional configuration file that provides connection data to the Identity Provider.