Documentation

Support

Unity Cloud

Get Started

Creator SDKs and Services

Open Unity Dashboard

Unity Cloud

Set up the identity subsystem

Set up the identity subsystem, based on Keycloak
Read time 1 minuteLast updated 6 days ago
Unity Virtual Private Cloud includes an identity provider and broker component based on Keycloak. Keycloak includes these major capabilities:
  • Authentication and authorization
  • Storage of information about entities that is required for access control, for example, for users, service accounts, the organization, and projects
Keycloak is included in the above deployment, but you must perform customer-specific postdeployment tasks and administration tasks.

1. Access Keycloak

All Keycloak settings and objects that are related to Unity Virtual Private Cloud are stored in the predefined unity realm. After you have opened the admin console, first go this realm. To access the Keycloak admin console from a browser, enter a URL in this format: 
https://<domain_name>/admin/master/console/
You must first initialize the AKS cluster credentials on the administrator's machine. These credentials are required later. Read more about connecting to a cluster in the Azure documentation. The initial administrator username is 
admin
. Azure generates the password during deployment. Retrieve the password from the solution key vault. The key vault is in the solution managed resource group, and the secret name is 
kc-admin-password
. To access secrets in the key vault, an administrator might require to perform these tasks:
  • Grant the Key Vault Administrator role to themselves, because the Owner role doesn't provide access to the Key Vault data plane
  • Temporarily allow access to the key vault over the internet By default, public access for this key vault is made unavailable. The recommended practice is to restrict this access to the IPs of specific administrators, in the key vault firewall settings, and, if possible, permanently.
Optionally, in the master realm, perform these actions:
  1. Change the password for the 
    admin
    user.     The recommended practice is to keep the password up-to-date in the key vault.
  2. Add administrative users.
To perform other changes that are related to Virtual Private Cloud settings, go to the unity realm.

2. Complete the setup of the identity subsystem

To complete the setup of the identity subsystem, ensure that you are signed in to Keycloak, and then go to the unity realm.

2.1 Regenerate the secret for the 
mini-usf
client

To regenerate the secret, complete these steps:
  1. Go to Manage > Clients, and then select the mini-usf client.
  2. On the Credentials tab, select Regenerate next to the client secret.
  3. Copy the secret to the clipboard.
  4. Save the secret as a new secret version to the mu-miniusf-keycloak-clientsecret secret in the key vault.
  5. To restart the mini-usf pods, run this command: 
    kubectl rollout restart deployment/mini-usf \-n mini-usf

2.2 Set up the URI properties for the dashboard client

To redirect the browser back to the frontend after a successful sign-in, add a valid redirect URI.
  1. Go to Manage > Clients, and then select the dashboard client.
  2. On the Settings tab, modify these values:
    • Set Root URI to 
      https://<solution-domain-name>
      .
    • Set Valid redirect URIs to 
      https://<solution-domain-name>/*
      .
  3. Select Save.

3. Perform administration tasks

  1. Create an organization in Keycloak.
  2. If required, set up single sign-on (SSO) for the identity subsystem.
  3. If you don't use SSO, then create users in Keycloak.
  4. Grant user access to the organization. Assign the Owner user type in the organization to at least one user, whether they have created their account locally or through SSO. This way, this user can sign in to Asset Manager and create a project. After you have completed these steps, users can access the application.
  5. Optionally, monitor integration in parallel or later.

Next steps

Monitor integration