Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

In production environments it is recommendet to connect Smartfacts directly to your OIDC provider. In this case no Keycloak and no CAMP component is deployed. There will be no pre-provisioning of users. As soon as a user logs in into Smartfacts, he will be provisioned on the fly.

Configuration of the OIDC client or application in your OIDC provider

Add valid Redirect URIs

In the client of you OIDC provider, add the following URLs to the list of valid redirect URLs.

  • https://smartfacts.<domain>

  • https://smartfacts.<domain>/login

  • https://genoslc.<domain>/login/oauth2/code/custom

  • https://genoslc-jama.<domain>/login/oauth2/code/custom
    (if you use OIDC to Jama Connect)

  • https://genoslc-codebeamer.<domain>/login/oauth2/code/custom
    (if you use OIDC to Codebeamer)

This list uses the default sub domains of Smartfacts. If you changed sub domains in your deployment, please adopt the values accordingly.

Set Grant Type

Set the grant type to authorization_code

Configure the deployment

Disable deployment of CAMP and Keycloak components

To disable the deployment of the CAMP and the Keycloak, add the following two lines in the values file:

camp:
  enabled: false
keycloak:
  enabled: false

Make sure, that you do not already have section for camp and Keykloak in your values file. If so, replace them.

Configure the connection to the OIDC provider

In the “global” section of your values file add the information of you OIDC provider:

  secrets:
    oauth2:
      wellknown: "https://<OIDC provider>/auth/realms/<REALM>/.well-known/openid-configuration"
    smartfacts:
      clientId: "<OIDC client>"
      clientSecret: "<OIDC client secret>"
  identity:
    OIDC_ISSUER: "https://<OIDC provider>/auth/realms/<REALM>"
  url:
    spa:
      scopes: "sf:bpm" # state the scopes here in a space separated list
      nonce: "false"
      state: "false" # if true, Smartfacts generates a state parameter while getting the token from the OIDC provider.

In lines 3 and 8 replace the placeholder <OIDC provider> with the adress of you OIDC provider and the placeholder <REALM> with the name of the realm in your OIDC provider

In line 5 replace the placeholder <OIDC client> with the name of the client in your OIDC provider.

In line 6 replace the placeholder <OIDC client secret> with the client secret of the client.

Configure access rules

In a second step access rules and optional groups must be configured. To do so create a new text file “group-rules.yaml” and paste the following text into it:

global:
  lcam:
    rules:
      - claim: "email"
        value:
          - "@"
        groupName: Smartfacts Users
        groupLicence:
          - LIC_SMARTFACTS_USER
        accountName: Smartfacts Account
      - claim: "email"
        value:
          - accound.administrator@your.domain
        groupName: Account Administrators
        groupLicence:
          - LIC_SMARTFACTS_USER
        accountName: Smartfacts Account

To adopt the rules to your environment, configure the necessary information in the file.

Configure Allowed email adresses

Line 8 is a pattern for all valid email-Adresses of the users. So the value “@” allows all users known by your OIDC provider to login into Smartfacts.

Configure Account administrators

Please replace line 13 with the email adress of the person who will be account addministrator. By inserting more lines (all starting with “-”) you can add additional account administrators.

Redeploy Smartfacts

For the deployment, additionally state the file “group-rules.yaml“ in the upgrade command.

sudo helm upgrade --install --timeout 20m0s smartfacts mid-smartfacts/smartfacts -f values.yaml -f group-rules.yaml --version 4.6.0-genoslcv2 -n smartfacts --create-namespace

  • No labels