As a security measure, Akamas lets you enforce a limit on the number of concurrent sessions per user, by default, this is set to terminate the oldest sessions and keep only a restricted number alive. If you wish to change the behavior limit, you can do so by configuring the Akamas realm in Keycloak.

The section Local Users explains how to properly configure users stored in Keycloak. The page Identity Provider users explains how to apply the same limit for users managed by an Identity Provider.

To configure an external identity provider you first need to access the Keycloak administration console. Follow the instructions in Accessing Keycloak admin console.

In the akamas realm, navigate to the Identity providers section.

From here on, the steps required to proceed with the configuration vary depending on the provider you are integrating with. Select yours from the guides below:

• Azure Active Directory

• Google

In case you need to limit the count of user session logins for this provider, follow this guide

The Keycloak administration console is exposed on the /auth page of your installation; for example, https://app.akamas.io/auth.

Now log into the Administration Console using the admin user. The password for such a user can be retrieved in different ways, depending on the installation method:

• Kubernetes. A custom password can be specified during the installation by providing a value keycloak.adminPassword in the helm chart. If this value was left unspecified, you can retrieve the auto-generated password with the following command:

kubectl get secret keycloak-admin-credentials \
  -o go-template='{{ .data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'

Note that you might need to provide the namespace in which Akamas has been installed using the flag -n namespace

• Docker.

  A custom password can be specified during the installation by providing a value for the variable KEYCLOAK_ADMIN_PASSWORD in the environment or the docker-compose file. if during the installation you didn't specify the value, you can retrieve the auto-generated password with the following command:

docker exec -it keycloak cat /config/keycloak_admin | cut -d '|' -f1

Akamas realm

Once logged in, select the akamas realm from the dropdown menu and navigate to the Identity providers section.

First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

On the Authentication page, select the "direct grant flow" and scroll the "User session count limiter" entry.

On the row "User session count limiter", click on the cog icon. From here you can choose the maximum concurrent sessions for each user, and the behavior when the maximum number is reached. Select "Deny new session" to deny new accesses. if previous sessions are not properly terminated, you may need to delete them from the Keycloak console under the Users section.

If you have configured ore or more Identity Providers, you can also limit the number of concurrent user sessions. First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

Click on the "create flow" button, provide a name, and then select the flow type "Basic Flow" and click on create.

Now click on "add execution"

A dialog pops up with a list of possible actions, filter the results with the limit keyword.

Select "User session count limiter" and click on "Add".

Set this new step as "Required" from the drop-down then click on the cog icon to edit its properties

Give it a meaningful alias and type in the maximum concurrent session value you desire. Select the behavior "Deny new session" from the drop-down list. Type in a valid message in the textbox "Optional custom error message" and click on "Save".

Now go to the identity provider page and click on the Identity provider you want to limit.

Scroll down to the bottom, click on the "Post login flow" dropdown, and select the new step you just created then click on the "Save" button.

This page provides a walkthrough to configure Google as an external identity provider for Akamas users.

Configure the App registration

To integrate Akamas with your Google Workspace, you first need a project with a dedicated OAuth client. Log in to your Google Developer Console, and navigate to the "Credentials" page of "API & Services".

Configure the Consent Screen

If the "Credentials" page displays a warning box reminding you to configure the consent screen, you first need to create an app. Click the enclosed button to start the wizard.

Follow the wizard to configure the consent screen according to your company's policies. For more details, refer to Configure the OAuth consent screen on the official documentation.

Once the configuration is complete, return to the "Credentials" page.

Create the OAuth client

Click the "Create Credentials" link on top, and select "OAuth Client ID".

Configure the client as follows:

• "Application Type": select "Web application"

• "Name": populate with the name of the new client

• "Authorized redirect URIs": leave it blank, as you will fill it in a later step

Once you click "Create" the console will show you a confirmation pop-up containing the client's configuration. Note the Client ID and the Client Secret.

Create the Identity provider

Access the Identity providers section for the "akamas" realm in the Keycloak administration console, as described on the page Configure an external identity provider, and select "Google" to start creating the new provider.

Configure the following fields using the values from the OAuth client you just created:

• "Client ID": fill in the id of the client

• "Client Secret": fill in the secret of the client

To complete the configuration, note the "Redirect URI" value and click "Add".

Complete the app registration

Back to the Google Developer Console, on the "Credentials" page, open the newly created client and add the URI from the previous step to the list of "Authorized redirect URIs".

Configure the default Akamas roles

The final setup step is to instruct Akamas to associate the default roles with the users automatically. This way, users will be added to the default workspace with read and write permissions the first time they log in.

On the Keycloak console, on the provider's details page, navigate to "Mappers":

Now, add the following configurations.

User role

• Name: User role

• Mapper type: Hardcoded role

• Role: USER

Default Workspace Read

• Name: Default Workspace Read

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_R

Default Workspace Write

• Name: Default Workspace Write

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_W

Test the integration

Visit the installation's login page to check that the new authentication method is displayed and works correctly.

This page provides a walkthrough to configure Azure Active Directory as an external identity provider for Akamas users.

Configure the App registration

To integrate Akamas with your Active Directory, you first need a dedicated App registration in your Azure Organization. If you want to use an existing registration, skip to ; to create a new one, refer to the following sub-section.

Create a new App registration

To create a new registration, navigate to in your Azure portal and select "New registration" and specify the following:

• a name for the application

• the account type that best suits your use case

Complete the creation by clicking on "Register".

Get the client configuration

On the "Overview" page of the application, note the following values:

• Application (client) ID

• OpenID Connect metadata document (found in the "Endpoints" side panel)

Furthermore, in the "Certificates & secrets" section, create a new Client secret and note its value.

With these values, we can now complete the provider configuration in the Keycloak console.

Create the Identity provider

Here, specify an alias for the client ("microsoft" in our case) and optionally the display name used in the login page ("Microsoft").

In the "OpenID Connect settings" section, configure the following fields using the values from the app registration in the Azure portal:

• "Discovery endpoint": populate with the URL of the "OpenID Connect metadata document". This box should become green upon successful validation.

• "Client ID": populate with the "Application (client) ID" from the app's overview page

• "Client Secret": populate with the value of the generated secret

Complete the configuration by clicking "Add". You will land on the detail page of the new provider: here, copy the value of the redirect URI.

Complete the app registration

Back to the app registration in the Azure portal, navigate to the "Authentication" section. Add the "Web" platform (if not already present).

Finally, add to the list of redirect URIs the one from the previous step.

You have now configured Akamas to delegate to Azure your users' login.

Configure the default Akamas roles

The final setup step is to instruct Akamas to associate the default roles with the users automatically. This way, users will be added to the default workspace with read and write permissions the first time they log in.

On the Keycloak console, on the provider's details page, navigate to "Mappers":

Now, add the following configurations.

User role

• Name: User role

• Mapper type: Hardcoded role

• Role: USER

Default Workspace Read

• Name: Default Workspace Read

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_R

Default Workspace Write

• Name: Default Workspace Write

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_W

Test the integration

Visit the installation's login page to check that the new authentication method is displayed and works correctly.