User Authentication and Authorization

The platform can be configured to run with and without users. Without users, all included data is accessible for anyone with access to the IP and port the platform is running on. This mode should only be used in sandbox mode.

In non-sandbox mode, the platform supports authentication using OpenID connect, for example with Keycloak for user management. Keycloak is an open source identity and access management solution, which can be configured to work with authentication protocols like LDAP, Kerberos, OAuth2 and SAML.

User login is handled by Keycloak, and the Keycloak instance can be managed by customer IT without access by Convier. If a user is not logged in, the user is redirected to the Keycloak login page. After successful login, the user is redirected to the Convier Data Platform with an authorisation code, which together with the Convier client credentials are used to generate an authorisation token that is used to identify the user within the platform. At no point are user credentials provided or sent to the Convier Data Platform. Convier will however support configuration, and can manage the Keycloak instance on behalf of the customer.

To restrict access to the platform, add the following to the platform properties file:

CONVIER_USER_GROUP=<User group>

And then add relevant users to the provided group. Note that the group name is case sensitive.

Setting up Convier Data Platform with Keycloak

  1. Assuming Convier Data Platform will be deployed at URL (e.g. https://convier.customer.internal)
  2. Deploy Keycloak version >= 14.0.0 service at URL (e.g. https://keycloak.customer.internal)
  3. Create realm convier
  4. Within realm, create client convier
    1. Under “Access Type” select confidential
    2. Under “Valid Redirection URIs”, add https://convier.customer.internal
    3. Save
    4. Under new tab “Credentials”, click “regenerate credentials” and copy secret
  5. In Convier properties file, add
    1. KEYCLOAK_SERVER_URL: https://keycloak.customer.internal/auth
    2. KEYCLOAK_REALM: convier
    3. KEYCLOAK_CLIENT_ID: convier
    4. KEYCLOAK_CLIENT_SECRET: copied secret
  6. Start Convier Data Platform

Integrating Active Directory, enabling single-sign-on, etc.:

Please refer to the Keycloak documentation pages for further configuration like setting up regular syncs with Active Directory, etc.