Introduction

Labforward platform comes with a centralized Identity & Access Management (IAM) system powered by KeyCloak.

In this article, we cover instruction on how to access the User Administration portal.

First-Time Access

After having the IAM application deployed, a root user is created with the credentials defined in the Replicated Panel.

We use this root user to apply the configuration to the application, although you can log in to the admin console using this user, we strongly recommend creating a specific user for your administrative tasks. Issues to this root user might cause irreversible damages to the application.

Username of the root account is visible through the option “Show IAM Admin Username” and the password was set during the first installation and can be found in the option “IAM Admin Password”. Changing the "IAM Admin Password" without proper care could cause irreversible issue to the application.

After installation, you can retrieve the IAM Admin Password with the following kubectl command:

kubectl get secrets/keycloak-secret -n YOUR_NAMESPACE_NAME --template={{.data.KEYCLOAK_ADMIN_PASSWORD}} | base64 --decode

You can use both of these information to log in as the root superuser.

Exposing the Admin Panel

In the replicated panel, select the option “Expose IAM Admin Resources”, save the configuration, and deploy the application.

As good practice, always disable the Admin Interface after performing your actions.

Accessing the Admin Panel

After the initialization of the new deployment, the admin panel is available through the URL:

https://account.{on-prem-domain}/admin/master/console/

Note: The login page for the admin panel does not offer options for registration.

Adding the First Admin User

Make sure that you are in the Master realm (top left menu), then go to the Users section and click on Add user button.

Provide the User information and username of your choice (labforward_admin is just an example in the following screenshot) and then click the Create button. The username can be an email address, for example.

After the user is created, click on the Credentials tab on the top, set the password, and confirm it. Make sure the Temporary switch is off (also make sure that the password is complex enough for the admin user).

Then on the Role Mapping section at the top, select Assign role for assigning the Admin roles to the user.

In the dropdown menu, select Filter by clients, and filter with labforward-realm. Assign the following roles:

1 manage-realm
2 manage-users
3 view-clients
4 view-events
5 view-realm
6 view-users
7 manage-identity-providers
8 view-identity-providers

If the user is desired to use the “impersonate” functionality on keycloak, there is also the following permission impersonation that needs to be added to the list.

Now you can log out and access the admin panel using the username and password of the admin user that you created. From this point, it is better to access the admin panel only with the freshly created admin user.

Change Password

In case an administrative user needs to change their password, there are two ways of performing this action:

1. When logged in with the administrative user, navigate to the Manage Account section, and change your password there. It is necessary to re-authenticate after the action.

After clicking on Manage Account, you are redirected to IAM, where you need to navigate to Settings and click on the button CHANGE next to the Password field.

2. The second option is changing the user's password when logged in with the root user. Even though this is possible, we recommend the first option.