...
Must be running a version of OpenELIS-Global > 3.0
Must have an username and password setup through keycloak via an administrator
...
3. Using the Feature
3.1 Step-by-Step Instructions
3.1.1 Task 1: Navigate to the OpenELIS-Global login page and use Single SIgn On
...
Login page will be https://<server address>/login
...
Identify the Single Sign On Button and click it
...
Fill out your username and password and any other information you are prompted for like:
First Name
Last Name
Email
New Password (if administrator set you up with a Temporary password)
...
How to add a single sign-on provider
The key cloak image is added to the docker container file build.dockey-compose.yml In the illustration below, the quey image is used on port 8089 in a development environment. Therefore http will be used on the local host. The docker compose up command is used to startup the container.
...
Key cloak image
The environment variables are set as follows:
...
Environment variables
Upon successful setting up of the single sign on provider a login page is displayed. Upon login using the credentials in the environment variables the session page is displayed by default.
...
Session page
How to set up a realm role for an individual user.
Click on the drop-down menu then click on the Create Realm button
...
Add a realm name and toggle on the button to enable the Realm. In this illustration an OpenELIS Realm is created and enabled.
...
Realm name and enabling the realm
Once the realm is created, select the Realm and click under the Realm roles. The illustration below displays different roles that we have created for OpenELIS.
...
Realm roles
Note: The following end-point is used for different OpenELIS roles that map roles to roles combinations. Below is an example of a role that is associated with a test function.
...
Role mapping endpoint
This end point is responsible for mapping roles that can then be created under the Realm Role
...
Realm roles
Once the role realm is created, click on Clients.
...
Create a client
Note: below is an illustration of a created client under the settings tab. These details entails;
Client ID
Name
Root URL
Home URL
...
Client details
The client signature under keys is set to off
...
Client Signature
Click on the save button upon filling the settings tab.
...
Save settings
Note; At this juncture, OpenELIS Global can communicate with Key Cloak theoretically. In reality OpenELIS does not know where to communicate with Key Cloak if this is not yet setup. The total system configuration file is where OpenELIS Key Cloak is setup
...
Total system configurations
The saml authentication is also setup to true
...
Saml set to true
The metadata location is specified. This enables OpenELIS to pull from Key Cloak its information about the saml exchange as opposed to setting up all the individual properties. At this juncture, the OpenELIS Global image should be restarted.
Note; in the production environment, the http will be replaced with https for security and the keycloak would be replaced with the front end name of the Key Cloak service using an official certificate.
...
Metadata locator
Upon restart of the OpenELIS docker container, the login page will display the single sign on. To sign on, Click on the Single Sign On button.
...
Click on SSO button
In this illustration, the sign on is done using an admin user.
...
Admin Sign on
Close the SSO true page upon sign on.
...
Close sign on confirmation page
Click on the admin module upon sign on. The admin sections will be displayed.
...
Click admin
...
Admin sections
Click on a test section. Access will be denied since the single sign on was not configured to allow access to test functionalities for an admin user
...
Add order
...
Access denied
Logout from OpenELIS. This will only end the OpenELIS session. Similarly, you will either need to logout of Key Cloak or the session for it to time out. The ideal is to prompt the user to also sign out of Key cloak as well when they click on logout under OpenELIS.
...
End session
Sign out of Key Cloak under sessions to end the admin session.
...
Sign out a session
Login using a user with test functionality roles
...
User sign on
Note; Key cloak configuration allows a user to change their password
Click on a test functionality under the menu items upon successful login. In this illustration, order is clicked.
...
Click on tests functionality
Note; tests for samples related to assigned roles under Keycloak.
...
Role assignment
...
realm role assigned to test user
...
Serology and biochemistry tests
How to set up a realm role via group
The illustration below shows the addition of Realm roles via groups. The administrator only has the default role that was created when creating the OpenELIS Realm.
...
Default admin role
...
4. Troubleshooting
4.1 Common Issues
...