Skip to main content
Skip table of contents

Identity and Access Management


Expertflow CX IAM (Identity and Access Management) backed by KeyCloak, enables users to access all Expertflow CX resources securely, you can control Authentication (who can sign into CX) and Authorization (who is permitted to use a CX resource). 

User Management

User management in Keycloak can be done through the Keycloak Admin Console, which is a web-based interface that allows administrators to manage users, roles, and permissions.

You can access your Keycloak Admin Console by https://[server-fqdn]/auth

See how user management can be done on the Keycloak interface here



Expertflow CX can be deployed on-prem or on the cloud as a standalone web application, after the successful deployment, you will need to set up your client (resource server) in the Keycloak instance to make authentication work, please refer Keycloak Client Resource Management Setup guide to setup your client.


Apart from Standalone deployment, you can set up your Expertflow CX solution within the Cisco Finesse environment (i.e UCCX or UCCE). We have the following two methods available and are part of Expertflow CX IAM:

  1. Login with Finesse (SSO)

  2. Login with Finesse (Without SSO)

Using either one of the above authentication methods you can set up your Finnse environment with Expertflow CX.


Expertflow CX has permission and access management (using Keycloak IAM) to access different application resources. We have role-based permissions on a top access level (i.e admin, agent, supervisor) and for more granular access levels we have a group-based implementation available too. See Security and User Permissions for more information.


Keycloak provides single sign-on, multi-factor authentication, and authorization services. Re-authorization in Keycloak refers to the process of renewing or extending the access token or refresh token granted to a user after it has expired.

The process of re-authorization in Keycloak involves the following steps:

  1. Obtain a new access token: When the access token granted to a user expires, the user can obtain a new access token by sending a request to the Keycloak server. This request must include the refresh token that was issued with the original access token.

  2. Verify the refresh token: The Keycloak server verifies the refresh token and ensures that it is still valid. If the refresh token is valid, the server issues a new access token to the user.

  3. Update the token expiration time: The new access token will have a new expiration time, based on the configuration settings in Keycloak.

  4. Use the new access token: The user can then use the new access token to access protected resources or services.

The process of re-authorization in Keycloak may vary depending on the specific configuration settings and customer policies in place. However, we follow the above steps as a process in our solution.

Integration with external IDPs

Keycloak supports a wide range of external identity providers (IDPs), which you can use to authenticate and authorize your existing users with Expertflow CX.  Below is the list of external IDPs supported by Keycloak:

  1. LDAP: Keycloak can integrate with LDAP directories, such as Microsoft Active Directory and OpenLDAP, to authenticate and authorize users.

  2. SAML: Keycloak supports the SAML 2.0 standard, which allows integration with a variety of SAML identity providers, including Okta, Azure AD, and PingFederate.

  3. OAuth 2.0/OpenID Connect: Keycloak can act as an OAuth 2.0/OpenID Connect identity provider or client, which allows integration with a variety of external OAuth 2.0 and OpenID Connect providers, including Google, Facebook, and Microsoft.

  4. Kerberos: Keycloak can integrate with Kerberos authentication systems, which allows users to authenticate with their Kerberos credentials.

  5. Others: Keycloak also supports other identity providers, such as X.509 certificates, JWT tokens, and social identity providers like Twitter, GitHub, and LinkedIn.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.