Create, configure and use an identity provider

The BPC requires the connection of an external identity provider (IdP). The BPC offers corresponding settings in the administration area for configuring the external IdP. To do this, an identity provider is created in the BPC under the Backend Connections and this is then defined as the identity provider to be used in the Core Services settings.

When the BPC is started, an Identity Provider Backend Connections is created for the local Karaf with the ID idp_karaf and the name Karaf (default). This is also immediately used as the active identity provider.

It is recommended, Keycloak^[1] as an identity provider. Keycloak is open source and implements standards such as OpenID Connect and SAML. It can also be used to map very complex scenarios.

Creating and configuring identity providers

Identity providers are generally created via Backend Connections

General identity provider configuration

The following configuration parameters can be found at Backend Connections of type identity_provider.

Settings for the AdditionalInfo group are described at Add additional organizations/roles/rights and other data to the user session.

Setting (Key) Group Type Description

Setting (Key)	Group	Type	Description
IdentityProvider (`identityProvider`)	Config	text/combobox	Identity Provider Service. Values: `Datenbank (JDBC)`, `Karaf`, `Keycloak`, `OpenID Connect (OIDC)` Default: `Karaf`
IdentityProvider_URL (`identityProvider.url`) Only BPC version < 4.2.13	Config	text	The URL at which the identity provider can be reached
IdentityProvider_Configuration (`identityProvider_configuration`) Only BPC version < 4.2.13	Config	json	Configuration Object for Identity Provider Relevant for Keycloak and OIDC
IdentityProvider_Mappings (`identityProvider_mappings`)	Config	json	Mapping of the role between BPC and Identity Provider. See Mapping of organizations, roles and rights
IdentityProvider_HealthEndpoint (`identityProvider_healthEndpoint`)	Config	text	Health endpoint of the identity provider. If set, the status of the identity provider can be checked via the Status API can be queried via the status API. Example: http://<keycloak_addr>:9000/health/ready
IdentityProvider_PasswordValidationRegExp (`identityProvider_pwdValidationRegExp`)	Config	text	Regular Expression (see Java documentation) for validating passwords. For example, for `.{8,}` the password must be at least 8 characters long. Complex example consisting of several parts: `(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[@#$%^&+=])(?=\S+$).{8,}` `(?=.[0-9])` - At least one number `(?=.[a-z])` - At least one small letter `(?=.[A-Z])` - At least one capital letter `(?=.[@#$%^&+=])` - At least one special character `(?=\S+$)` - No spaces (whitespace) `.{8,}` - At least 8 characters in total
IdentityProvider_ChangeOrganizationEnabled (`identityProvider_ussChangeOrganisationEnabled`)	Frontend	bool	Enables the deactivation/activation of the change of organization in the interface. Default: false
IdentityProvider_ChangePasswordEnabled (`identityProvider_ussChangePasswordEnabled`)	Frontend	bool	Enables the deactivation/activation of the change of password in the interface. Default: false

IdentityProvider
(identityProvider)

Config

text/combobox

Identity Provider Service.
Values: Datenbank (JDBC), Karaf, Keycloak, OpenID Connect (OIDC)

Default: Karaf

IdentityProvider_URL
(identityProvider.url)

Only BPC version < 4.2.13

Config

text

The URL at which the identity provider can be reached

IdentityProvider_Configuration
(identityProvider_configuration)

Only BPC version < 4.2.13

Config

json

Configuration Object for Identity Provider
Relevant for Keycloak and OIDC

IdentityProvider_Mappings
(identityProvider_mappings)

Config

json

Mapping of the role between BPC and Identity Provider.
See Mapping of organizations, roles and rights

IdentityProvider_HealthEndpoint
(identityProvider_healthEndpoint)

Config

text

Health endpoint of the identity provider. If set, the status of the identity provider can be checked via the Status API can be queried via the status API.

Example: http://<keycloak_addr>:9000/health/ready

IdentityProvider_PasswordValidationRegExp
(identityProvider_pwdValidationRegExp)

Config

text

Regular Expression (see Java documentation) for validating passwords. For example, for .{8,} the password must be at least 8 characters long.

Complex example consisting of several parts: (?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,}

(?=.*[0-9]) - At least one number
(?=.*[a-z]) - At least one small letter
(?=.*[A-Z]) - At least one capital letter
(?=.*[@#$%^&+=]) - At least one special character
(?=\S+$) - No spaces (whitespace)
.{8,} - At least 8 characters in total

IdentityProvider_ChangeOrganizationEnabled
(identityProvider_ussChangeOrganisationEnabled)

Frontend

bool

Enables the deactivation/activation of the change of organization in the interface.
Default: false

IdentityProvider_ChangePasswordEnabled
(identityProvider_ussChangePasswordEnabled)

Frontend

bool

Enables the deactivation/activation of the change of password in the interface.
Default: false

Specific identity provider configuration

Specific information on how to configure the supported identity providers:

In addition to the specific configurations, there are also some that can be configured or used for each identity provider:

Use identity provider

One of the identity providers created above can now be defined in the Core Services → Settings as the (active) IdP to be used. If it is not possible to log in with this IdP afterwards, you will find a solution under Forcing the local IdP as a fallback

Setting (Key) Group Type Description

Setting (Key)	Group	Type	Description
IdentityProvider_BackendConnection (`identityProviderBackendConnection`)	identityProvider	text/combobox	Selection/definition of the Identity Provider Backend Connection to be used.

IdentityProvider_BackendConnection
(identityProviderBackendConnection)

identityProvider

text/combobox

Selection/definition of the Identity Provider Backend Connection to be used.

idp select active

Click on "Save"!
You will then be logged out and must log in again. The new identity provider will be taken into account.

1. Keycloak is a trademark of The Linux Foundation

Keywords: