Users

A User is an entity that can log into the application, and given the right privileges, can perform all the available actions. A user is bound to a specific certificate that authenticates with the MTG CARA system. Users are mapped to Keycloak users. As a result, all administration operations for users can also be executed via the Keycloak administration console. More details about Keycloak user administration can be found in the following link www.keycloak.org/docs/latest/server_admin/index.html#user-management .

1. View Users

All registered users can be viewed in the Administration / Users / Show page. By pressing a User ID, a redirection in the User Details is being made. This page displays information about the user identity and optionally about the user’s certificate details and the associated issued certificate. One can also search the available users, either by their exact user ID or by a subsequence of characters contained in user’s first name, last name or email. Furthermore, user search supports filtering of users based on whether they are associated or not with a User Certificate.

2. Create User

A User can be created in the Administration / Users / Create page. In the first page of the wizard, the details of the new user must be specified. The email must be unique among all registered users. The first name and last name may contain up to 31 characters.

The second and third steps are identical to the Certificate Creation mechanism. The created users have the above provided data and their Common Name will be set at a default value of their first name and last name concatenated.

Users can also be created through the Keycloak administration console. Users created by the Keycloak administration console can be triggered manually to be imported through the Administration / Users / Sync button or automatically while searching.

3. Create Certificate for Users

During the certificate creation process CARA uses a set of arguments and includes them in the generated certificate details. Arguments are listed below. The asterisk indicates the required fields for the certificate creation process.

  • first Name*

  • last Name*

  • email

  • commonName*

  • organization

  • organizationUnit

  • country

These attributes are retrieved from Keycloak as custom user attributes during the certificate creation process. To successfully complete the certificate creation process the required fields can not be empty. The specification of these attributes by the RA operator is accomplished through the user’s details page with the View User Detains in ID Provider option that redirects to the Keycloak admin console or directly through the Keycloak admin console. For more information about setting these arguments through Keycloak admin console see Chapter 5 or Keycloak Migration. Each user’s details will be retrieved from the Keycloak custom user attributes that were just defined.

Certificate creation is supported both for a single user and for multiple users. Certificate creation for a single user can be accomplished though the user’s details page. Click the Create User Certificate button and complete the user’s certificate creation flow as described in Chapter 2. User’s certificate details are mandatory to complete the creation flow. In case these attributes are not set for the selected user, the user certificate creation wizard will first redirect the operator to the user certificate details page to set the required attributes.

Batch user certificate creation process is identical to the single user certificate creation flow only with a few differences. This process is supported only for server generated certificate source (see Certificate Source). Furthermore, the generated certificates are available to the operator as a zip file. The generated certificates are protected by a common keystore password. The zip file contains a p12 and a jceks file for each user. The filename for each user is a result of the user’s common name followed by the generated certificate’s serial number.

4. Activate User

User activation/deactivation can be accomplished through the Keycloak admin console using the enabled toggle button.

5. Modify User

User modification is available through the Keycloak administration console. Furthermore, in case a user is already associated with a certificate the RA operator can renew his certificate by clicking the Renew button in the certificate details section of the user’s details page. The user’s certificate renewal process is identical to the single user certificate creation process described in Chapter 3. User’s activation, password setup, identity details modification etc. are some operations that have been delegated to Keycloak. For more details see Keycloak Migration.

6. Delete User

Users can be deleted only through the Keycloak administration console. After their deletion from Keycloak, the user deletion cron job will delete the associated user from the MTG CARA system.

7. User Passwords

User passwords can be managed through the Keycloak administration console. A newly created user does not have a password. The setting of the user password can be achieved through the Keycloak administration console. Another way is to send an update email password to the user by Administration / Users / Show. Select the users for which an update password action should be executed and from the Actions tab click Send update password email to selected users. An email will be sent to the selected users to set or update their password. A password policy can also be configured through the Keycloak admin console, to ensure that users will set strong passwords. For more details about Keycloak user password policies see the follow link www.keycloak.org/docs/6.0/server_admin/#_password-policies.

Additionally, an RA operator can disable the password login for a specific user. For more details see Keycloak Migration.