Description
RayFlow 8.0 can either utilise KeyCloak as its default Identity and Access Management interface or as a middle man for another IAM product.
KeyCloak
The following KeyCloak client configuration is the minimum required for KeyCloak 26.0.7 to function with RayFlow:
Settings tab
General Settings
- Client ID = RayFlow (can be called something else)
- Name = RayFlow (can be called something else)
Access settings
- Valid redirect URIs = http(s)://<FQDN, hostname or IP Address>/RayFlow/Account/LoginKeyCloak
Capability config
- Client authentication = disabled (only needs to be enable to generate secret)
- Authentication flow
- Standard flow = enabled
- Direct access grants = enabled
Logout settings
- Front channel logout = enabled
- Backchannel logout session required = enabled
Credentials tab
- Client Authenticator = Client Id and Secret
- Client secret = regenerate, save, copy, paste into Web.config file
Advanced tab
Open ID Connect Compatibility Modes
- Exclude Session State From Authentication Response = enabled
Web.config
Stop RayFlow's IIS application pool and then configure its Web.config file similar to the below example before starting it again:
The DefaultProjectId key is only required if you would like KeyCloak to create new users in RayFlow. For RayFlow instances that have multiple projects, you may wish to create an empty project just for new user creation, as RayFlow users are global entities to the RayFlow instance, and then a RayFlow administrator can then assign the new users to the relevant project(s) and the users required group(s).
Known Issues
When KeyCloak is being used neither the RayFlow Powershell Module, the RayFlow Client, nor the RayPack Studio Products can log into RayFlow anymore. This is probably also the case for RayFlow connectors and some of its plugins.
Comments