For the latest version, please use Certificate Lifecycle Manager 6.5.1!

Keycloak

Keycloak is the identity and access management solution for MTG CLM. It provides authentication, user management and role-based access control. Proper configuration ensures that users and service accounts receive the correct permissions for CLM features, while integrating with your existing identity infrastructure.

Understanding Keycloak’s Role

Keycloak is responsible for:

  • Verifying user and service account identities with supported authentication methods.

  • Enforcing role-based access control for CLM features.

  • Integrating with enterprise directory services.

  • Centralizing user and credential management.

In MTG CLM, authorization decisions are based on Keycloak roles that are evaluated for users and groups.

Keycloak Client Configuration

The MTG CLM server connects to Keycloak by using a dedicated client.

  • Client credentials are configured with the properties mtg.clm.client.basic.client-id and mtg.clm.client.basic.client-secret

  • Client roles in Keycloak store the permissions used by MTG CLM

  • CLM relies on these client roles to grant access to administrative and operational features

The client configuration must be kept consistent across environments so that role mappings remain predictable and auditable.

Changing the Keycloak Client

When you change the Keycloak client used by MTG CLM:

  1. Create a new client in Keycloak.

  2. Configure the new client credentials in CLM by updating the relevant properties.

  3. Recreate all required client roles from the previous client.

  4. Restart the MTG CLM server so the new configuration is applied.

Make sure that all previous client roles are recreated to maintain business-critical authorizations. If the ADMIN role is missing, the scheduled permission cleanup task is skipped. This can lead to stale or inconsistent permissions in the system.

Keycloak Groups

Keycloak groups are collections of users and service accounts that share common attributes or permissions. Groups simplify bulk administration in environments where many users or technical accounts require similar CLM access.

For MTG CLM, groups can be used for:

  • Creating and updating groups that represent teams, departments or functional roles.

  • Adding users to groups so they inherit the group’s CLM permissions.

  • Assigning roles to groups instead of managing roles per user or per client.

When a role is assigned to a Keycloak group, all members of that group inherit the role. This allows CLM administrators to:

  • Onboard new users by adding them in the correct groups.

  • Adjust access centrally by updating group role mappings.

  • Keep authorization models consistent across users that perform similar tasks.

Groups do not replace per-user or per-client role assignments but provide an additional, scalable way to manage CLM permissions.

Further Reading

Keycloak Documentation