The EWC IAM system is part of the European Weather Cloud (EWC), providing centralized identity and access management based on Keycloak. This system ensures that users can securely access various EWC services with a single set of credentials.

To help you understand how the system works, this section covers the fundamental concepts and components involved.

Tenants Realms

A Realm in Keycloak is like a space where user identities, roles, and permissions are managed. Realms are logical units within Keycloak that keep different applications and their user bases separate. Each realm has its own setup, including unique configurations, users, roles, and clients.

For the EWC, each tenant in the EWC has its own unique Realm created during the on-boarding process.

Users

A User in Keycloak is anyone who needs to access the EWC services. Users have unique identities (like usernames and passwords) that they use to log in. Users are unique within a single tenancy. Users having access to multiple EWC tenancies have a dedicated account in the IAM of each tenancy.

Roles

Roles define what actions users or groups of users can perform within the EWC IAM and the connected clients (applications and services). Roles come with certain responsibilities and permissions. For example, an "Admin" role might have permissions to manage other users and configure settings.

The EWC IAM has a set of predefined roles available. Tenant admins can create additional roles if their specific use cases require them.

Client Applications

Clients in Keycloak represent applications and services that EWC users access using their IAM credentials. Each client has its own settings and permissions.

The EWC IAM supports two kinds of client endpoints:

• Single tenant endpoint - clients (applications) dedicated to a given EWC tenancy connect to this endpoint. The endpoint allows only users from the given tenancy to log in to the connected client.
• Multi-tenant endpoint - generally shared EWC services use this endpoint. Users log in to these services using a two-step login process where they first specify their tenancy and after they enter their credentials.

Advanced Concepts

Identity Providers

By default, user accounts are created locally in each tenant’s IAM system. However, Identity Providers allow you to log in using accounts from other systems outside of EWC, such as your organization’s own IAM system.

User Federation

User Federation lets you log in to EWC systems using accounts from other external databases, such as LDAP or Active Directory. It imports your external user accounts into EWC. This is useful in case LDAP or Active Directory for managing user credentials is needed.