Keycloak URL

The default keycloak management URL is : https:///keycloak

Realms

The both realms in Keycloak can be configure with a LDAP:

Master to authenticate as administrator on Keycloak itself
Hexagon-HPA to authenticate users on HPA portal and Webview

The LDAP can be identical or different

FAQ : Logout from webview leads to Exception

When loging out from webview, if an exception is displayed on the screen, then the following parameter must be checked:

Hpa Realm > Clients > com.ca.apm.webview.serviceprovider > Logout settings

Set Front channel logout to “Off”

Configure Front channel logout

Add LDAP to a Realm

For LDAP authentication:

open the Hexagon-HPA realm
open User federation in the left menu
click on Add Ldap providers

keycloak_ldap

Enter the LDAP information

keycloak_federation

LDAP settings

Usually the information needed for Active Directory are :

Connection URL : ldaps://server:port
Bind user DN
Bind user password
User DN : the base DN to find users
Disable import users
Activate read only

Other options exist according to your LDAP configuration

LDAP configuration screenshots

LDAP connection

LDAP search

LDAP cache

LDAP role mapping

LDAP roles mapping

Clear distinction between groups having access to HPA: User federation\User LDAP filter than must contain the name of the groups having access to Hpa:

eg: (&(objectCategory=Person)(|(memberOf=CN=xxxx,OU=TRANSVERSAL,OU=Applications,OU=Groups,DC=emea,DC=cib)(memberOf=yyyy,OU=TRANSVERSAL,OU=Applications,OU=Groups,DC=emea,DC=cib)(memberOf=zzzz,OU=TRANSVERSAL,OU=Applications,OU=Groups,DC=emea,DC=cib)))

And admin role assigned to one role only defined in security.config