For the latest version, please use Certificate Lifecycle Manager 6.0.0!

Keycloak

Keycloak serves as the identity and access management solution for MTG CLM, providing secure authentication, user management, and role-based access control. Proper configuration ensures users can access appropriate CLM features based on their roles and permissions. This way you can establish a secure foundation for your MTG-CLM deployment, ensuring appropriate access controls while enabling integration with your existing identity infrastructure.

Understanding Keycloak’s Role

Keycloak manages authentication and authorization through:

  • User identity verification with multiple authentication methods

  • Role-based access control for CLM features

  • Integration with enterprise directory services

  • Centralized user management

Keycloak Client Configuration

The MTG CLM server connects to Keycloak using a dedicated client configuration:

  • Client credentials are configured with properties mtg.clm.client.basic.client-id and mtg.clm.client.basic.client-secret.

  • Client roles in Keycloak store the permissions used by MTG CLM.

Changing Keycloak Client

When changing the Keycloak client:

  1. Create a new client in Keycloak.

  2. Configure the new credentials as properties.

  3. Create all necessary roles from the previous client.

  4. Restart the MTG CLM server to apply changes.

Make sure that all previous client roles are recreated to maintain business-critical authorizations.
The scheduled permission cleanup task is skipped if the 'ADMIN' role is missing.

Further Reading

Keycloak Documentation