The Dymium Platform integrates with many different IAMs and IdPs. It does so using OIDC (OpenID Connect). OIDC is an industry standard and supported by all currently maintained IAMs/IdPs such as Keycloak, Okta, Ping, Microsoft Entra ID, Microsoft ADFS and many more. This part shows how to configure the Dymium Platform, as well as Keycloak to provide authentication and authorization. Keycloak is used as an example, but the steps for other IAMs/IdPs are the same or similar, though the flow and nomenclature might differ.
Configure group
This step is optional if you want to use an existing group. In our case, we will configure a new group called “dymium_admins” that we will use to determine who will get admin access to the Dymium Platform. You can choose your own name if required.
Navigate to “Groups” and click “Create Group”.
Enter a Name and Description and click “Create”.
Click on the newly created group and navigate to “Members” and click “Add member”.
Select at least the user that will be used to test the authentication and click “Add”.
Configuring a Keycloak Client scope
The Dymium Platform uses group memberships to authorize access to the Dymium admin UI as well as for defining policies. Who has access to what data, in which context, with which transformations etc. These group memberships can be manually configured in the Dymium admin UI, but much easier is to use group memberships sent by OIDC claims. Not all IAMs/IdPs include group membership by default, including Keycloak. So we will configure Keycloak to include group memberships. This is done with a Client scope.
Navigate to “Client scopes” and click “Create client scope”.
For the “Name” field enter “groups”. Provide a description and select “Default” as the “Type”. Click “Save”.
Next navigate to the “Mappers” tab and click “Configure a new mapper”.
In the “Configure a new mapper” screen, select “Group Membership”.
In the “Add mapper” screen, enter “groups” for the “Name” and “Token Claim Name”. Note that “Token Claim Name” has to be the exact name “groups” and is case sensitive. Also, untoggle “Full group path” and click “Save”.
Configuring a Keycloak client
In Keycloak, a client is the entity that uses Keycloak to authenticate users and obtain tokens. In our case, this is the Dymium Platform. Configuring a Keycloak client will provide us with the parameters needed to configure the Dymium Platform to use Keycloak.
Navigate to “Clients” and click “Create client”.
Provide a “Client ID”, “Name” and “Description”. Make note of the “Client ID”, as you will need this later. In our example we will use “dymium” (case sensitive). Click “Next”.
Enable “Client authentication” and check the “Service accounts roles” and click “Next”.
Configure the following items:
- Root URL
- Valid redirect URIs
- Valid post logout redirect URIs
- Web origins
Click “Save”.
Note that the URLs using portal.dymium.ai are for GhostDB, GhostAI, GhostMCP and others, whereas the URLs using chat.dymium.ai are uniquely for GhostAI. Depending on your subscription, you might not need to use both.
Navigate to the “Credentials” tab and click the copy button to copy the Client Secret. You will need this client secret when configuring the Dymium Platform.