As a security measure, Akamas lets you enforce a limit on the number of concurrent sessions per user, by default, this is set to terminate the oldest sessions and keep only a restricted number alive. If you wish to change the behavior limit, you can do so by configuring the Akamas realm in Keycloak.

The section Local Users explains how to properly configure users stored in Keycloak. The page Identity Provider users explains how to apply the same limit for users managed by an Identity Provider.

To configure an external identity provider, start by accessing the Keycloak administration console. Refer to Accessing Keycloak admin console for detailed instructions.

Within the Akamas realm, navigate to the Identity Providers section.

The configuration steps will vary based on the provider you are integrating with. Select the appropriate guide below:

• Azure Active Directory

• Google

If you need to limit the number of user session logins for this provider, refer to Limit users sessions.

The Keycloak administration console is exposed on the /auth page of your installation; for example, https://app.akamas.io/auth.

Now log into the Administration Console using the admin user. The password for such a user can be retrieved in different ways, depending on the installation method:

• Kubernetes. A custom password can be specified during the installation by providing a value keycloak.adminPassword in the helm chart. If this value was left unspecified, you can retrieve the auto-generated password with the following command:

kubectl get secret keycloak-admin-credentials \
  -o go-template='{{ .data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'

Note that you might need to provide the namespace in which Akamas has been installed using the flag -n namespace

• Docker.

  A custom password can be specified during the installation by providing a value for the variable KEYCLOAK_ADMIN_PASSWORD in the environment or the docker-compose file. if during the installation you didn't specify the value, you can retrieve the auto-generated password with the following command:

docker exec -it keycloak cat /config/keycloak_admin | cut -d '|' -f1

Akamas realm

Once logged in, select the akamas realm from the dropdown menu and navigate to the Identity providers section.

This guide provides a step-by-step walkthrough to configure Google as an external identity provider for Akamas users.

Configure the App registration

To integrate Akamas with your Google Workspace, create a project with a dedicated OAuth client in the Google Developer Console.

• Log in to your Google Developer Console.

• Go to the API & Services section and navigate to Credentials.

Configure the Consent Screen

If a warning prompts you to configure the consent screen, you’ll need to create an app for user consent.

• Click on the provided button to launch the Consent Screen Wizard.

• Follow the wizard to configure the consent screen according to your company's policies. For more details, refer to Configure the OAuth consent screen on the official documentation.

Once the consent screen configuration is complete, return to the Credentials page.

Create the OAuth client

• On the Credentials page, select Create Credentials and choose OAuth Client ID.

• Configure the client as follow:

  • Application Type: Choose "Web application."

  • Name: Enter a name for the new client.

  • Authorized redirect URIs: Leave this blank for now; you’ll configure it in a later step.

After clicking Create, a confirmation popup will display the Client ID and Client Secret. Make note of these values.

Create the Identity provider

In the Keycloak admin console, go to the Identity Providers section within the Akamas realm (see Configure an external identity provider for more details).

• Select Google as the provider type.

• Fill in the following fields using the values from the OAuth client:

  • Client ID: Enter the Client ID from the Google Developer Console.

  • Client Secret: Enter the Client Secret.

Copy the Redirect URI generated by Keycloak and click Add to save the configuration.

Complete the app registration

Return to the Credentials page in the Google Developer Console. Open the newly created OAuth client, and in the Authorized Redirect URIs section, add the Redirect URI copied from Keycloak.

Configure the default Akamas roles

To automatically assign default roles to users, set up mappers in Keycloak so users can access the default workspace with read and write permissions upon first login.

In Keycloak, go to the provider's details page and navigate to Mappers:

Add the following configurations:

User role

• Name: User role

• Mapper type: Hardcoded role

• Role: USER

Default Workspace Read

• Name: Default Workspace Read

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_R

Default Workspace Write

• Name: Default Workspace Write

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_W

Test the integration

Visit the Akamas installation's login page to verify that the new authentication method is displayed and working as expected.

First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

On the Authentication page, select the "browser" flow and scroll the "User session count limiter" entry.

On the row "User session count limiter", click on the cog icon. From here you can choose the maximum concurrent sessions for each user, and the behavior when the maximum number is reached. Select "Deny new session" to deny new accesses. if previous sessions are not properly terminated, you may need to delete them from the Keycloak console under the Users section.

If you have configured ore or more Identity Providers, you can also limit the number of concurrent user sessions. First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

Click on the "create flow" button, provide a name, and then select the flow type "Basic Flow" and click on create.

Now click on "add execution"

A dialog pops up with a list of possible actions, filter the results with the limit keyword.

Select "User session count limiter" and click on "Add".

Set this new step as "Required" from the drop-down then click on the cog icon to edit its properties

Give it a meaningful alias and type in the maximum concurrent session value you desire. Select the behavior "Deny new session" from the drop-down list. Type in a valid message in the textbox "Optional custom error message" and click on "Save".

Now go to the identity provider page and click on the Identity provider you want to limit.

Scroll down to the bottom, click on the "Post login flow" dropdown, and select the new step you just created then click on the "Save" button.

This guide provides a step-by-step walkthrough to configure Azure Active Directory (AD) as an external identity provider for Akamas users.

Configure the App registration

To integrate Akamas with your Azure AD, you’ll need a dedicated App registration in your Azure organization. You can either use an existing registration or create a new one.

• Using an Existing Registration: Skip to #get-the-client-configuration.

• Creating a New Registration: Follow the instructions below.

Creating a new App registration

• In your Azure portal, navigate to App registrations and select New registration.

• Provide:

  • A name for the application.

  • The account type that best suits your use case.

• Complete the process by clicking Register.

Get the client configuration

On the Overview page of your app registration, make note of the following values:

• Application (client) ID

• OpenID Connect metadata document (found in the "Endpoints" side panel)

Then, in the Certificates & secrets section, create a new Client secret and note its value. With these values ready, proceed to configure the provider in the Keycloak console.

Create the Identity provider in Keycloak

In the Keycloak admin console, access the Identity Providers section within the Akamas realm (see the Configure an external identity provider page for more details).

• Select OpenID Connect v1.0 to start creating the new provider.

• Provide:

  • Alias (e.g., "microsoft") and optional Display name (e.g., "Microsoft") for the login page.

• In the OpenID Connect settings section, populate the following fields:

  • Discovery endpoint: Enter the URL of the OpenID Connect metadata document. A green box indicates successful validation.

  • Client ID: Enter the Application (client) ID.

  • Client Secret: Enter the generated client secret.

Click Add to complete the configuration. Copy the Redirect URI from the details page of the new provider.

Complete the app registration in Azure

Return to the Azure portal and open the app registration. In the Authentication section, add the Web platform (if not already present).

Add the Redirect URI from the Keycloak console to the list of redirect URIs.

Akamas is now configured to delegate user login to Azure AD.

Configure the default Akamas roles

To automatically assign default roles to users, set up mappers in Keycloak so users can access the default workspace with read and write permissions upon first login.

In Keycloak, go to the provider's details page and navigate to Mappers:

Add the following configurations:

User role

• Name: User role

• Mapper type: Hardcoded role

• Role: USER

Default Workspace Read

• Name: Default Workspace Read

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_R

Default Workspace Write

• Name: Default Workspace Write

• Mapper type: Hardcoded role

• Role: WS_ac8481d3-d031-4b6a-8ae9-c7b366f027e8_W

Test the integration

Visit the Akamas installation's login page to verify that the new authentication method is displayed and working as expected.