Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Must be running a version of OpenELIS-Global > 3.0

  • Must have an username and password setup through keycloak via an administrator

...

3. Using the Feature

3.1 Step-by-Step Instructions

3.1.1 Task 1: Navigate to the OpenELIS-Global login page and use Single SIgn On

...

Login page will be https://<server address>/login

...

Identify the Single Sign On Button and click it

...

Fill out your username and password and any other information you are prompted for like:

  1. First Name

  2. Last Name

  3. Email

  4. New Password (if administrator set you up with a Temporary password)

...

How to add a single sign-on provider

The key cloak image is added to the docker container file build.dockey-compose.yml  In the illustration below, the quey image is used on port 8089 in a development environment. Therefore http will be used on the local host. The docker compose up command is used to startup the container.

...

Key cloak image

The environment variables are set as follows:

...

Environment variables

Upon successful setting up of the single sign on provider a  login page is displayed. Upon login using the credentials in the environment variables the session  page is displayed by default.

...

Session page

How to set up a realm role for an individual user.

  1. Click on the drop-down menu then click on the Create Realm button

...

  1. Add a realm name and toggle on the button to enable  the Realm. In this illustration an OpenELIS Realm is created and enabled.

...

Realm name and enabling the realm

  1. Once the realm is created, select the Realm and click under the Realm roles. The illustration below displays different roles that we have created for OpenELIS.

...

Realm roles

Note: The following end-point is used for different OpenELIS roles that map roles to roles combinations. Below is an example of a role that is associated with a test function.

...

Role mapping endpoint

This end point is responsible for mapping roles that can  then  be created under the Realm Role 

...

Realm roles

  1. Once the role realm is created, click on Clients.

...

Create a client

Note: below is an illustration of a created client under the settings tab. These details entails;

  1. Client ID

  2. Name

  3. Root URL

  4. Home URL

...

Client details

The client signature under keys is set to off

...

Client Signature

  1. Click on the save button upon filling the settings tab. 

...

Save settings

Note; At this juncture, OpenELIS Global can communicate with Key Cloak theoretically. In reality OpenELIS does not know where to communicate with Key Cloak if this is not yet setup. The total system configuration file is where OpenELIS Key Cloak is setup

...

Total system configurations

The saml authentication is also setup to true

...

Saml set to true

The metadata location is specified. This enables OpenELIS to pull from Key Cloak its information about the saml exchange as opposed to setting up all the individual properties. At this juncture, the OpenELIS Global image should be restarted.

Note; in the production environment, the http will be replaced with https for security and the keycloak would be replaced with the front end name of the Key Cloak service using an official certificate.

...

Metadata locator

  1. Upon restart of the OpenELIS docker container, the login page will display the single sign on. To sign on, Click on the Single Sign On button.

...

Click on SSO button

  1. In this illustration, the sign on is done using an admin user.

...

Admin Sign on

  1. Close the SSO true page upon sign on.

...

Close sign on confirmation page

  1. Click on the admin module upon sign on. The admin sections will be displayed.

...

Click admin

...

Admin sections

  1. Click on a test section. Access will be denied since  the single sign on was not configured to allow access to test functionalities for an admin user

...

Add order

...

Access denied

  1. Logout from OpenELIS. This will only end the OpenELIS session. Similarly,  you will either need to logout of Key Cloak or the session for it to time out. The ideal is to prompt the user to also sign out of Key cloak as well when they click on logout under OpenELIS.

...

End session

  1. Sign out of Key Cloak under sessions to end the admin session.

...

Sign out a session

  1. Login using a user with test functionality roles

...

User sign on

Note; Key cloak configuration allows a user to change their password

  1. Click on a test functionality under the menu items upon successful login. In this illustration, order is clicked. 

...

Click on tests functionality

Note; tests for samples related to assigned roles under Keycloak. 

...

Role assignment

...

realm role assigned to test user

...

Serology and biochemistry tests

How to set up a realm role via group

The illustration below shows the addition of Realm roles via groups. The administrator only has the default role that was created when creating the OpenELIS Realm.

...

Default admin role

...

4. Troubleshooting

4.1 Common Issues

...