Configure OpenID Connect

---

SEAL Print Client authenticates users only via the OAuth2.0 and OpenID Connect protocol. For this, an identity server is required. SEAL Systems provides a Keycloak Identity Server with the default installation. Other identity servers can be used.

Clients receive the user's identity encoded in a secure JSON Web Token (JWT), called an ID token. It is issued by an identity server like Keycloak and obtained via the standard OAuth 2.0 code flow supporting web applications.

For example a JWT contains:

{
  "name": "hugo",
  "preferred_username": "Hugo",
  "given_name": "Hugo",
  "family_name": "",
  "email": "hugo@sealsystems.de",
  "iat": 1546860576,
  "exp": 1572780576,
  "iss": "http://<server_name>:32768/auth/realms/seal-operator",
  "sub": "hugos-id"
}

---

Configure the SEAL Print Client

The issuer property (iss) in the ID token is a unique name created by the identity provider. It's value is an arbitrary string which differs for each identity provider and has to be determined individually.

In the special case of keycloak as identity provider the value contains the URL with which the service is accessed over the network. Therefore the value shown in the example above will change if the service is accessed from an other machine as localhost.

This is important to know because for security reasons the ID_PROVIDER_NAME entry in the SEAL Print Client configuration has to be identical with the iss entry in the ID token and needs to be configured.

Whereas the AUTH_ISSUER_URL contains a URL pointing to the address the identity server is accessible over the network. In the special case of keycloak as identity provider the value of this this entry is identical with the ID_PROVIDER_NAME entry.

---

Change the settings in the configuration

1. To change the settings open the configuration file:

   • C:\ProgramData\SEAL Systems\operator\config\operator.yml.

   Literature - configuration file

   For further information, refer to SEAL Print Client Operator Server Configuration File.

---

Change Localhost to Servername

1. Change localhost in ID_PROVIDER_NAME and AUTH_ISSUER_URL to the hostname. Use the FQDN of the server.

The configuration file contains some global properties...

Struktur beschreiben.

env:
  service:
    any:
      tag:
        any:
          ID_PROVIDER_NAME: https://<server_name>:32769/auth/realms/SEAL

...and some service properties, e.g. for operator-ui

    operator-ui:
      tag:
        any:
          AUTH_ISSUER_URL: https://<server_name>:32769/auth/realms/SEAL

---

Change the Redirect URI on Open ID Service

Die Redirect URL muss geändert werden in OpenID Service. Bei Keycloak geht das so.

Achtung: Server Name ist case sensitive! Hostname in klein schreiben!

1. Open the Keycloak administrator user interface.

2. Log on with admin, SealAdmin1.

3. In Clients, select seal-print-client in column Client ID.

4. Select seal-print-client.

5. In Valid Redirect URIs, enter a URI with the same hostname as used for ID_PROVIDER_NAME respectively AUTH_ISSUER_URL.

6. In Web Origins, enter a URI with the same hostname as used for ID_PROVIDER_NAME respectively AUTH_ISSUER_URL.

7. Save the settings.

---

Next Step

Continue with:

• Connect the Backend Systems in the SEAL Operator Server

---