Table of Contents
- Base Installation
- Prerequisites
- Installation of Keycloak
- Configuration of Keycloak
- Configuration of the Olvid Plugin
- Upgrading
- Additional Configuration
- Configuration of an External IdP
- Using LDAP User Federation
- x509 Client Certificates Authentication
- Configure Olvid via an MDM
- Using the management console
- How to use the Console
- Misc.
- Changelog
Configuration of the Olvid Plugin
The last step is to configure the Olvid Plugin and generate the link Olvid users will use to bind their identity to the Keycloak server. Start by opening the Olvid Management Console by clicking the “Management Console” link from within the Keycloak console.
Here we describe the minimal steps to allow Olvid users to connect, more details about the various functionalities of the Olvid Management Console can be found in the pages under “Using the Management Console” in the left menu.
1. Realms configuration
Start by opening the “Realms Configuration” from the left menu
This page lets you configure which realm is used for the console administration and which realms are used by Olvid users:
- check the “Admin” checkbox in the
olvid_admin
realm - check the “Olvid users” checkbox in the
olvid
realm- for user realms, you must also select the Client to use for authentication: select
olvid_cl
from the dropdown menu - choose the elliptic curve Key you generated previously so that it will be used to sign Olvid user certificates
- for user realms, you must also select the Client to use for authentication: select
- enter
https://server.olvid.io
for the “Olvid Message Distribution Server” - if the public DNS for your Keycloak server is different from the DNS you connect too for administration, enter the public DNS in “Public Keycloak URL”
- enter the API key that was provided by the Olvid team in “Keycloak API Key”
Be sure to only use such an API key on a single server. If you need to deploy mutliple Keycloak servers with different Olvid user realms, please request multiple API keys from the Olvid team, otherwise you will run into issues 😅
- check the “Revocation Allowed” checkbox if you want to allow users to replace their own Olvid identity on Keycloak after they have set it. This is not usually necessary in production, but can help during tests. If the checkbox is not checked, an administrator will need to manually revoke the user’s previous identity before they can change their identity
- do not forget to click “Save” and confirm your changes
As soon as some users have bound their Olvid identity to this Keycloak server, changing any of these parameters may require them to completely rebind their identity. You should normally not play with these settings too often!
2. Prometheus metrics
The Olvid Plugin has the capability to export usage metrics in the Prometheus format. If this is of interest to you, activate the switch at the top of the page, click “Save”. The link at the top points to the metrics export URL, which does not require authentication. It is recommended to block public access to this URL at your reverse proxy.
Currently the exported metrics are very basic. If a specific metrics would be of interest to you, please let the Olvid team know: it will be added in a future release!
3. Test your configuration
Once the configuration is saved, the left menu is updated like this:
- The admin realm (here
olvid_admin
) allows to create admin users and assign them roles - The user realms (like
olvid
) have more options:- the realm name leads to a dashboard managing users, signing them out or revoking their identity
- the “Revocation Log” show a log of all the revocations that took place on the server
- the “Olvid Groups” page (coming soon) allows defining discussion groups that are directly managed from Keycloak
- the “Security Settings” page (coming soon) allows forcing certain security settings on Olvid users
For now, click on “olvid” to access the dashboard, this is where you will find the link you should distribute to Olvid users
Click the blue “link” icon to open the configuration page. The url should be something like this:
https://configuration.olvid.io/#eyJzZXJ2ZXIi [….] UwZjUyNiIsImNpZCI6Im9sdmlkX2NsIn19
That’s it, the Olvid Plugin is configured and the user you created should now be able to authenticate after opening this link inside Olvid or scanning the QR code shown on the page.