AppDat Keycloak User Guide #

The AppDat Auth Service is built with Keycloak launch , an open-source identity and access management service. AppDat Keycloak is integrated directly with the NASA Launchpad via SAML, and is integrated directly with AppDat managed applications to provide a uniform Single Sign On (SSO) experience for all AppDat hosted applications.

Concepts #

AppDat Keycloak provides centralized user management functionality for AppDat customer organizations, along with creating a modern OpenID Connect 2.0 launch interface for AppDat applications to utilize while maintaining PIV based end user login functionality to maintain NASA compliance.

Usage #

There are two different methods using the AppDat Keycloak service:

1. With AppDat Gatekeeper
2. Via OIDC/OAuth2.0

AppDat Gatekeeper Access Proxy #

AppDat Gatekeeper provides a configuration-based access proxy service available to all AppDat hosted applications. AppDat Gatekeeper can be configured to protect all application endpoints or just a subset. Configurations are managed with the end applications source code project repository and applied via AppDat CI/CD Auto DevOps (ADO) pipelines.

Gatekeeper Configuration #

To configure AppDat Gatekeeper you need to add the following two configuration files to the desired project’s repository:

.gitlab/auto-deploy-values.yaml

appdat:
  auth:
    gatekeeper:
      enabled: true            # enables AppDat Gatekeeper proxy

.gitlab/gatekeeper-config.yaml

enable-default-deny: false     # true will block all requests, false will only protect the resources below
resources:                     # endpoints to be protected
  - uri: /SubmitHas.cfm.         # use: - uri: "/*" to protect all routes
  - uri: /Admin/*
add-claims:                    # user identity properties to be included with the JWT
- auid

OIDC #

AppDat applications (or any NASA application) can directly integrate with Keycloak via OIDC. There are many open-source libraries and a robust set of Keycloak documentation for securing applications found here launch

Customer Realms #

Keycloak also provides general users, roles, and groups management functions for AppDat customer organizations to use for one or many applications. AppDat Keycloak can therefore provide an organization centralized user management functions for ALL of AppDat hosted systems. AppDat customers are provisioned a Keycloak “realm” for their organization. This “realm” can be directly managed via an administrative web UI, where AppDat customers can define users, user roles, and user groups for their applications. AppDat has set up Keycloak with the “core realm” which manages the NASA SAML integration for all AppDat customers. AppDat organization “realms” then integrate to the AppDat “core realm” via OIDC.

Getting Started #

When onboarding the first application for a new AppDat customer, an AppDat SRE will work to help establish a customer’s Keycloak realm, provisioning the Keycloak client, and setting up the AppDat Gatekeeper services as needed.

For information on using external identity providers and user management, see our “User Management” Guide here

Keycloak Documentation #

For user documentation for how to use the Keycloak admin console see the following:

• User Management launch
• Role Management launch
• Group Management launch
• Audit Logging launch
• Developer API launch