Access control
To connect new devices, the Scout Cloud Gateway (SCG) needs to ensure that the user is authenticated. To do this, a connection to Active Directory or to the identity management system Keycloak can be set up. Keycloak allows user authentication strictly separated from the SCG. As a third variant, you can define tokens for access directly at the SCG.
After a user has been successfully authenticated, a certificate is issued for the corresponding device, which is checked against at the next logon. As long as the certificate is valid, no new user logon to the SCG is required. The RSA certificates have a key length of 4k.[1[[ ]from SCG 1 2209]] Administrators may configure the renewal of certificates and get a quick overview of expiring certificates in the Devices view and the Dashboard 2[[]from SCG 1 2209]] of the WebAdmin interface.
User authentication via Active Directory
Active Directory handles the authentication and the assignment of the device to its OU. To control the OU assignments, the AD environment must be configured in advance.
Authorized AD users then log on to the Scout Cloud Gateway once with their device. The AD logon data are evaluated by the AD server. Next to user authentication the devices are registered on the Scout Server in the OU specified by the user assignments.
In the Devices view of the WebAdmin interface, usernames are displayed with their domain.
User authentication via Keycloak
Keycloak is an implementation of the OpenID Connect protocol and can be used perfectly for connecting devices via the Scout Cloud Gateway. The user authentication is processed completely separated from the SCG and thus protects the logon data. Also, the Keycloak server must use signed certificates for TLS communication.
Keycloak also acts as an identity broker and supports user accounts from other identity and access management systems, including Active Directory.
The users are forwarded via the Scout Cloud Gateway (1) to Keycloak for logon (2). In the logon dialog of the identity manager defined in Keycloak, they enter their logon data, which are then checked by the defined identity manager (3). After successful authentication, Keycloak returns an access and ID token for the user to the SCG (4). This procedure completely isolates the SCG from the users’ logon data.
Users who are authenticated via Keycloak are always assigned to the standard OU defined in the Scout Console. In the Devices view of the WebAdmin interface, their usernames are displayed without a domain.
User authentication directly via Scout Cloud Gateway
Users receive a token from the administrator to register their device. The tokens are defined after installation in the SCG WebAdmin interface. To each token, you assign an OU in which the user’s device is to be registered.