With the release of Data Science & AI Workbench 5.6, significant improvements have been made to our Keycloak implementation. For details, please see the release notes. Upgrading to Workbench 5.6 requires Keycloak configuration changes to access your instance. You’ll need to add a service account with correct permissions to the anaconda-platform client, then add a protocol mapper to the roles client scope.

Enabling the service account

After your upgrade to Workbench 5.6+ completes:
  1. Open a browser and log in to your Keycloak admin panel using your existing Keycloak credentials. Your Keycloak admin panel can be found at https://<FQDN>auth/admin where <FQDN> is your Workbench fully qualified domain name.
  2. Verify you are on the anaconda-platform realm.
  3. Select Clients from the left-hand navigation, then select anaconda-platform from the list of available clients.
  4. Select the Service accounts roles checkbox under Capability config, then save your changes.
  5. Select the new Service accounts roles tab that appears at the top of the page.
  6. Click Assign role.
  7. Open the filter dropdown menu and select Filter by clients.
  8. Search for the view-users role.
  9. Select the role, then click Assign.

Adding the protocol mapper

  1. Select Client scopes from the left-hand navigation, then select roles from the list of available client scopes.
  2. Select the Mappers tab.
  3. Open the Add mapper dropdown menu and select By configuration.
  4. Select Audience.
  5. Complete the fields and set the toggle switches as indicated:
    • Name - my-audience
    • Included Client Audience - anaconda-platform
    • Add to ID token - ON
    • Add to access token - ON
  6. Click Save.
Success! You can now log in to your instance from an existing account and use Workbench normally.