Home
Administration
Here you will find the tasks that are required for administration of your HCL Link product.
Keycloak
This documentation describes about the Keycloak functionality.
User Administration
After you install Keycloak, you must consider how the software manages users and authentication.
LDAP User Authentication
You are using a Lightweight Directory Access Protocol and Active Directory HTTP server to manage users and authentication. You want to know the best practices to use that LDAP/AD server to manage user access to Link.

Administration
Here you will find the tasks that are required for administration of your HCL Link product.
- User Management
  HCL Link provides inbuilt support for managing users who may create, deploy and run integrations.
- Keycloak
  This documentation describes about the Keycloak functionality.
  - Introduction
    Keycloak is an open-source identity and Access Management solution. It is a single sign-on security application for web applications and RESTful web services. Link and Runtime REST API supports Keycloak solution of user administration and authorization.
  - Installation
    To install Keycloak refer to the latest “Getting Started” documentation available on the Keycloak product website.
  - User Administration
    After you install Keycloak, you must consider how the software manages users and authentication.
    - Default User Administration
      Keycloak uses the concept of a realm to manage and authenticate users. When you install the Keycloak server, a realm called testserver is created for you in Keycloak. All server users belong to this realm and when they log in to the server, they log into that realm.
    - LDAP User Authentication
      You are using a Lightweight Directory Access Protocol and Active Directory HTTP server to manage users and authentication. You want to know the best practices to use that LDAP/AD server to manage user access to Link.
      - Selecting LDAP provider in Keycloak
        You can use the Keycloak Admin Console to add an LDAP/AD provider.
      - Required settings for a successful connection to your LDAP/AD provider
        The form includes many fields and several fields include default values.
      - User synchronization
        You must import all users from your LDAP/AD user database by using the option to Synchronize all users. Users are imported based on your saved settings when you set up your LDAP/AD provider.
      - Mappers
        Keycloak uses mappers to map the user attributes defined in the Keycloak user model such as username and email to the corresponding user attributes in the LDAP/AD user database. By default, when you saved your settings and created your LDAP/AD provider, the following mappers were created.
    - Runtime REST API
      Runtime REST API supports Keycloak authentication of user credentials for running maps and flows. Like Link, Runtime REST API can be configured to authenticate users with Keycloak.

LDAP User Authentication

You are using a Lightweight Directory Access Protocol and Active Directory HTTP server to manage users and authentication. You want to know the best practices to use that LDAP/AD server to manage user access to Link.

Link supports Keycloak (https://www.keycloak.org/) to manage and authenticate users.

Existing user databases hold user credentials. Keycloak federates these existing external user databases through the concept of storage providers. By default, Keycloak supports an LDAP and Active Directory storage provider. By adding a storage provider, you can map LDAP user attributes into Keycloak. You can also configure more mappings.

Before you configure Keycloak to use an existing LDAP/AD provider, you must consider the following best practices:

Set up your LDAP/AD provider as a read-only repository so that Keycloak Server cannot change it
Add and remove users in LDAP/AD and not the Keycloak local user database
Import and synchronize your LDAP/AD users to your Keycloak local database
- An import for an LDAP/AD user can fail, if the LDAP/AD field chosen for the username mapping in Keycloak is not filled in for that user in LDAP/AD
- Filter LDAP/AD users by using the Custom User LDAP Filter, so you can import a subset of all your LDAP users. For example, you can set up a Server user group in LDAP and only import those users to Keycloak
Map a login style name, for example, user1@server.com, by using the UserPrincipalName attribute in LDAP/AD to a username in Keycloak. If you want the full name of the user as your login style, use the cn attribute in LDAP/AD.

Note: The LDAP/AD user name attribute must match the LDAP/AD provider user name attribute (Username LDAP attribute) in Keycloak for the LDAP/AD provider to connect with Keycloak.

The following sections use these best practices to guide you to set up Keycloak to connect to your LDAP/AD HTTP server.