Configure Authentication for MATLAB Web App Server on AWS

Since R2025a

Supported Platform: Linux^® server only

After you deploy the MATLAB^® Web App Server™ reference architecture in Amazon^® Web Services and configure licensing, you can configure user authentication for the server.

Starting in R2025a, MATLAB Web App Server reference architecture in AWS^® on Linux uses Keycloak as the default authentication identity provider. Keycloak is a cloud native solution that provides authentication, authorization, and user management for applications and services. If you have an existing identity provider that you would like to use for authentication, you can federate to that identity provider through Keycloak, or you can configure authentication with your preferred identity provider directly using LDAP or OIDC.

For information on deploying the reference architecture on AWS, see MATLAB Web App Server on Amazon Web Services.

Authenticate Using Keycloak

Since R2025a

Note

If the EC2 instance that hosts the server uses private IP addresses, you can connect to the Keycloak administration console from an EC2 instance that belongs to the same VPC as the server EC2 instance.

After you deploy MATLAB Web App Server, log in to the Keycloak administration console to configure user authentication and change the default admin credentials.

In the AWS management console, open the Stack details for your stack and click the Outputs tab.

Look for the key named KeycloakConsoleUrl and click the corresponding URL listed under value. This opens the administration console for your Keycloak server.

The first time you access the Keycloak administration console, you can log in using the following information:

Username	`keycloak-admin`
Password	`keycloak-admin`

After you log in to the Keycloak administration console for the first time, you are prompted to set a new password for the admin account.

You can set up user authentication directly with Keycloak or federate with a third party identity provider. Add or modify groups and users as needed through your authentication provider. For more information, see Managing users in the Keycloak documentation.

Realms

A realm is a space where you manage objects, including users, applications, roles, and groups. The Keycloak server is pre-configured with two realms, master and MATLAB Web App Server.

The master realm contains the keycloak-admin user that can log in to the Keycloak administration console. In the master realm, the admin realm role grants a user the ability to log in to the Keycloak administration console.

The MATLAB Web App Server realm contains users and groups that can access the MATLAB Web App Server home page and admin portal.

For more information on realms, see Configuring realms in the Keycloak documentation.

Users and Groups

In the MATLAB Web App Server realm, the default configuration includes three user accounts you can use to log in to the server home page. Each user belongs to one or more pre-configured groups, granting them specific permissions on the MATLAB Web App Server.

Group Name	Group Permissions	Group Members
MATLAB Web App Server Administrators	Access the server admin portal	`matlab-webapps-admin`
MATLAB Web App Server Authors	Access the server home page Upload, delete, and execute web apps in the `SampleApps` category	`matlab-webapps-author` `matlab-webapps-admin`
MATLAB Web App Server Users	Access the server home page Execute web apps in the `SampleApps` category	`matlab-webapps-user` `matlab-webapps-author` `matlab-webapps-admin`

The default password for each user is the same as the username. For instance, the default password for the admin account is matlab-webapps-admin. After you log in to a user account for the first time, you are prompted to change the password.

Add new users and configure group membership in the Keycloak administration console by navigating to the Users page and clicking Add user. You can specify the username, required actions on login, and configure group membership. By default, new users are automatically added to the MATLAB Web App Server Users group. For more information on managing users in Keycloak, see Managing users in the Keycloak documentation.

When you add a user to one of the MATLAB Web App Server pre-configured groups, the user gains the permissions associated with the group. For instance, the MATLAB Web App Server Authors group includes upload and delete permissions for the web apps in the SampleApps folder. You do not need to restart the server after adding a user to a pre-configured group.

To allow users or groups to access specific web apps or app folders on the MATLAB Web App Server home page, configure user app access using the admin portal App Management page. For example, you could give the MATLAB Web App Server Authors group permission to upload, delete, and execute apps in the root folder.

To allow a user to access the admin portal, add the user to the MATLAB Web App Server Administrators group. For information about using the admin portal, see Manage MATLAB Web App Server on AWS Using Admin Portal.

Authenticate Using LDAP or OIDC

Note

If the EC2 instance that hosts the server uses private IP addresses, you can connect to the server EC2 instance from an EC2 instance that belongs to the same VPC as the server EC2 instance.

As an alternative to Keycloak, you can configure authentication manually using Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC).

To set up manual authentication, connect to the EC2 instance hosting MATLAB Web App Server using SSH.

In the AWS management console, open the Stack details for your stack and click the Outputs tab.
Look for the key named MATLABWebAppServerEC2Instance and click the corresponding URL listed under value. This opens the server instance page.
Click the value under Instance ID to view the instance summary.
Click the Connect button at the top.
In the Connect to instance dialog, click SSH client.
Follow the instructions on the page to connect to the EC2 instance.

After you connect to the server EC2 instance, edit the file named webapps_authn.json located in the /local/MathWorks/webapps/<release>/config/webapps_private folder. The format for webapps_authn.json depends on whether you are using LDAP or OIDC for authentication. For more details, see Authentication.

To obtain the value for redirectUrl, use the following steps.

In the AWS management console, select the stack you deployed.
In the Stack details for your stack, click the Outputs tab.
Look for the key named MATLABWebAppServerOIDCRedirectUrl and copy the corresponding URL listed under value.
Use this URL in the webapps_authn.json file.

Restart the server for changes to take effect.

Remove All Authentication

Caution

Web apps hosted on a server with no authentication are accessible to the open internet.

To remove all authentication from the server and permit open access, remotely log in to the server machine. Then, rename or delete the following files in /local/MathWorks/webapps/<release>/config/webapps_private:

webapps_authn.json
webapps_app_roles.json
webapps_acc_ctl.json

Restart the server for changes to take effect. To re-enable authentication, restore the files to the webapps_private folder.