Keycloak supports all the standards of MFA and SSO. User can choose (or be forced to user) Authenticator app, hardware token or email code, etc.

Important

Old download plans and uploaded software without owner will be deleted. The affected records were created by older version of PDM.control created up to end of year 2020.

Please note that login names of migrated uses may be changed if they contains invalid characters for Keycloak. Such a characters are for example @ and <space> `. They will be replaced by `_ character.

Keycloak setup

Install and configure Keycloak server. Set properties of your instance like it is shown in the example below.

Example of Keycloak configuration for PDM.control
pcon:
  keycloak:
    url: https://auth.pdm-dev.de
    realm: pdm-dev
    client-main-id: pdm-control
    client-private-id: pdm-control-private
    client-private-secret: "the_secret"

Inactive users

It is recommended to delete inactive users. This will reduce number of migrated users and therefore reduce number of dead objects in database. Before deleting users please check that deleted users do not posses any important objects like download plans, software descriptions, etc. Those objects will be deleted if their owner is deleted.

It is required that there are no users with keycloak ID equal to null in database before starting PDM.control v26.

If you want to delete users, where keycloak ID is null, you have to first cascade delete all objects owned by those users and then delete the users. Please note, that following objects will be deleted as well, related software descriptions and download plans will be deleted as well.

  • bonus_disposable

  • download_plan - planned PDM updates may by aborted, history made by that user will be lost

  • forwarding_rule - some message forwarding may by removed.

  • remote_action - planned removed actions may by aborted, history made by that user will be lost

  • software_description - software uploaded by that user will inaccessible.

-- Remove constraints
ALTER TABLE IF EXISTS control.bonus_disposable DROP CONSTRAINT IF EXISTS fk_bonus_disposable__user;
ALTER TABLE IF EXISTS control.bonus_disposable
    ADD CONSTRAINT fk_bonus_disposable__user FOREIGN KEY (creator_id)
    REFERENCES control.user_authentication (usa_id) MATCH SIMPLE
    ON UPDATE CASCADE
    ON DELETE CASCADE;

ALTER TABLE IF EXISTS control.software_description DROP CONSTRAINT IF EXISTS fk_sw_description__user;
ALTER TABLE IF EXISTS control.software_description
    ADD CONSTRAINT fk_sw_description__user FOREIGN KEY (swd_author_id)
    REFERENCES control.user_authentication (usa_id) MATCH SIMPLE
    ON UPDATE CASCADE
    ON DELETE CASCADE;

ALTER TABLE IF EXISTS control.download_plan DROP CONSTRAINT IF EXISTS fk_download_plan__user;
ALTER TABLE IF EXISTS control.download_plan
    ADD CONSTRAINT fk_download_plan__user FOREIGN KEY (dwp_modified_by)
    REFERENCES control.user_authentication (usa_id) MATCH SIMPLE
    ON UPDATE CASCADE
    ON DELETE CASCADE;

-- Delete users and dependent objects
DELETE FROM control.user_authentication WHERE usa_kc_id IS NULL;

Alternatively, a random UUID can be generated for users with null keycloak ID. They will appeared ad deleted in PDM.control, but their related objects will not stay persisted.

UPDATE control.user_authentication SET usa_kc_id = gen_random_uuid() WHERE usa_kc_id IS NULL;

Or you a continues row of UUIDs can be used.

WITH numbered_rows AS (
    SELECT
        ctid,
        ROW_NUMBER() OVER (ORDER BY usa_id ASC) as row_num
    FROM control.user_authentication
    WHERE usa_kc_id IS NULL
	ORDER BY usa_id
)
UPDATE control.user_authentication
SET usa_kc_id = ('00000000-0000-0000-0000-' || LPAD(numbered_rows.row_num::text, 12, '0'))::uuid
FROM numbered_rows
WHERE control.user_authentication.ctid = numbered_rows.ctid;

API’s for external systems

The API’s for external systems historically were using Basic Authentication with user credentials. Now they are protected by Keycloak and require access token for authentication. For the transition period we will support both authentication methods. Users are encouraged to switch to Oauth2 authentication. The Basic Authentication will be removed in future versions of PDM.control.

User migration

Before starting PDM.control v26 deployment, all users must be migrated to Keycloak. Please use tool provided by RTB to migrate users. Then PDM.control can be started with Keycloak authentication.

Payzee integration

A payzee integration is supported. To configure it create oauth2 client configuration like this:

spring:
  security:
    oauth2:
      client:
        registration:
          payzee-client:
            provider: payzee-provider (1)
            client-id: "<client-id>"
            client-secret: "<client-secret>"
            authorization-grant-type: client_credentials (2)
            client-authentication-method: client_secret_basic (3)
            scope:
              - openid
        provider:
          payzee-provider:
            token-uri: "https://sta.auth.payzee.ch/realms/Payzee/protocol/openid-connect/token" (4)

  1. Keep this provider name. It is referenced from source code. Rest of parameters should be provided by Payzee

  2. Verify by Payzee.

  3. Verify by Payzee.

  4. This may be test system. Ask Payzee for correct URI

Then enable the feature in the Area and configure PDM.