7. Federated authentication for administrators

This section describes how to configure and operate federated authentication for administrators in Nubus for UCS that authenticates and authorizes administrative user accounts with an external identity and access management (IAM).

Concepts

Background, data protection, Keycloak mappers, prerequisites, and configuration sequence.

Configure Nubus for UCS

Configure Nubus for UCS to accept federated accounts.

Establish trust between Nubus and the upstream IdP

Establish a trust relationship between Nubus Keycloak and your upstream identity provider.

Configure the UMC OIDC client

Configure the UMC OIDC client to pass identity and role information to the Management UI.

Configure role assignment strategies

Choose and configure how federated users receive guardian roles: direct attribute or group-based assignment.

Verify the configuration of federated authentication

Test and confirm that federated authentication works.

Manage administrators for federated authentication

Add, remove, and update administrators, and prepare for upstream IAM outages.

Troubleshooting federated authentication

Diagnose and resolve common sign-in, permission, and authorization issues.

Contents

• 7.1. Concepts
  • 7.1.1. Basic idea
  • 7.1.2. Data protection
  • 7.1.3. Understanding Keycloak mappers
  • 7.1.4. Technical prerequisites
  • 7.1.5. Before you begin
• 7.2. Configure Nubus for UCS
  • 7.2.1. UMC permissions for federated accounts
  • 7.2.2. Enable federated account support in LDAP
  • 7.2.3. Keycloak and single sign-on in the Management UI
• 7.3. Establish trust between Nubus and the upstream IdP
  • 7.3.1. Upstream IdP configuration
  • 7.3.2. Nubus Keycloak identity provider configuration
• 7.4. Configure the UMC OIDC client
• 7.5. Configure role assignment strategies
  • 7.5.1. Direct role attribute approach
    • 7.5.1.1. Upstream IdP
    • 7.5.1.2. Nubus IdP
    • 7.5.1.3. UMC OIDC clients
    • 7.5.1.4. Authentication flow for direct roles
  • 7.5.2. Group-based role assignment approach
    • 7.5.2.1. Example structure
    • 7.5.2.2. Upstream IdP configuration
    • 7.5.2.3. Nubus IdP configuration
    • 7.5.2.4. Providing guardian roles to UMC
    • 7.5.2.5. Sign-in flow for group-based roles
    • 7.5.2.6. Automating the configuration
• 7.6. Verify the configuration of federated authentication
  • 7.6.1. Test the sign-in
  • 7.6.2. Logging
• 7.7. Manage administrators for federated authentication
  • 7.7.1. Add a new administrator
  • 7.7.2. Update administrative roles
  • 7.7.3. Prepare emergency access
• 7.8. Troubleshooting federated authentication
  • 7.8.1. Sign-in fails
  • 7.8.2. No management modules are visible after sign-in
  • 7.8.3. Authorization doesn’t work