Users

To interact with MTG-CLM UI, you must first log in as user. This page describes user creation and the various authentication methods in detail.

User Creation

To create a user you must fill out the following fields.

First Name (mandatory)

The user’s first name. This field may contain up to 31 characters.

Last Name (mandatory)

The user’s last name. This field may contain up to 31 characters.

E-Mail (mandatory)

The email address of the user. This must be unique across all registered users.

You can also create CLM users by importing them from active directory. Keycloak offers a powerful and flexible mechanism which supports synchronising users from active directory, allowing you to manage CLM users in a single place. For more information refer to the dedicated instructions page.

User Authentication

Users may log into MTG-CLM UI with two options. One is with a username and password and the other with TLS client authentication using X.509 certificates. You can choose a method during user creation.

When choosing the username/password authentication method, the password of the user is set in Keycloak. For more options about management of users and their credentials see Keycloak Documentation.

In the certificate-based authentication method, a certificate is requested for the users during their creation. The certificate is issued using the user certificate policy, configured in system settings in the configuration section.

The certificate authority issuing the user certificate must be trusted by Keycloak.

Multi-Factor Authentication

Multi-Factor authentication (MFA) serves as a fundamental security measure designed to fortify account protection. By integrating an additional layer of authentication, MFA requires verification of both primary and secondary factors to grant access to an account.

The following mini-tutorial provides instructions on configuring Multi-Factor Authentication with Google Authenticator within Keycloak.

1. Keycloak console - Realm setting

  1. From your keycloak console, select your realm from the dropdown list.

  2. Click Authentication

  3. Click Required actions

  4. Make sure Configure OTP is required and Set as default action

2. Keycloak console - Require first time OTP configuration for existing user

  1. Click Users

  2. Choose an existing user.

  3. In Required actions list select Configure OTP.

  4. Click Save

3. MTG-CLM UI - Initial MFA authentication & subsequent setup

During the user’s first login a setup page will be shown, prompting the user to set up their 2FA preferences.

You must include the Conditional OTP Flow step in the Keycloak Authentication Flow section, in order for the user to be prompted to enter a one-time password during their subsequent logins.