Configure Authentication for MATLAB Web App Server on AWS

After you deploy the MATLAB^® Web App Server™ reference architecture in Amazon^® Web Services and configure licensing in the cloud, configure authentication for the server. Starting in R2025a, user authentication is administered through Keycloak. Keycloak is a cloud native solution that provides authentication, authorization, and user management for applications and services. You can configure authentication using Keycloak or directly using LDAP or OIDC and the webapps_authn.json file.

For information on deploying the reference architecture on AWS^®, see MATLAB Web App Server on Amazon Web Services. For information on setting up your MATLAB Web App Server license for using in the cloud, see Configure MATLAB Web App Server License for Use on the Cloud.

Use Keycloak

Note

If the EC2 instance that hosts the server uses private IP addresses, you can connect to the Keycloak administration portal from a VM that belongs to the same virtual private cloud (VPC) as the EC2 instance.

In the Stack details for your stack, click the Outputs tab.

Look for the key named KeycloakUrl and click the corresponding URL listed under value. This opens the administration portal for your Keycloak server instance.

The first time you access the Keycloak administration portal, you can log in using the following information:

Username	`admin`
Password	`admin`

You can set up user authentication directly through Keycloak or federate with a third party identity provider. For more information on integrating identity providers with Keycloak, see the Keycloak documentation.

Users and Groups

The default Keycloak configuration includes a set of three users, each belonging to one or more groups.

User	Group Membership	Permissions
`matlab-webapps-admin`	MATLAB Web App Server Administrators MATLAB Web App Server Authors MATLAB Web App Server Users	Access the server home page Upload, delete, and execute web apps hosted on the server Access the server admin portal
`matlab-webapps-author`	MATLAB Web App Server Authors MATLAB Web App Server Users	Access the server home page Upload, delete, and execute web apps in the `SampleApps` folder
`matlab-webapps-user`	MATLAB Web App Server Users	Access the server home page Execute web apps in the `SampleApps` folder

The default password for each user is the same as the username. For instance, the default password for the admin account is matlab-webapps-admin. Add or modify groups and users as needed through your authentication provider.

You can configure user app access through the admin portal. For details, see Manage MATLAB Web App Server on AWS Using Admin Portal.

Update Keycloak Certificate

To update the certificate and key used by Keycloak, connect to the server machine. Then, update the following files in /MathWorks/Keycloak/data/tls:

keycloak.crt
keycloak.pem
keycloak.ca

Restart the server for changes to take effect.

Use LDAP or OIDC

Note

If the EC2 instance that hosts the server uses private IP addresses, you can connect to the EC2 instance from a VM that belongs to the same virtual private cloud (VPC) as the EC2 instance.

As an alternative to using Keycloak, you can configure authentication manually using Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC).

To set up manual authentication, connect to the EC2 instance hosting MATLAB Web App Server using Remote Desktop or SSH. For details, see MATLAB Web App Server on Amazon Web Services on GitHub^®. Then, edit the file named webapps_authn.json located in the config/webapps_private folder. The format for webapps_authn.json depends on whether you are using LDAP or OIDC for authentication. For details, see Authentication.

For the redirectUrl, use the URL created as part of your stack.

In the AWS management console, select the stack you deployed.
In the Stack details for your stack, click the Outputs tab.
Look for the key named MATLABWebAppServerOIDCRedirectUrl and copy the corresponding URL listed under value.
Use this URL in the webapps_authn.json file.

Remove Authentication

Caution

Web apps hosted on a server with no authentication are accessible to the open internet.

To remove all authentication from the server and permit open access, connect to the server machine. Then, rename or delete the following files in /local/MathWorks/webapps/<release>/config/webapps_private:

webapps_authn.json
webapps_app_roles.json
webapps_acc_ctl.json

Restart the server for changes to take effect. You can restart the server using webapps-restart. To re-enable authentication, restore the files to config/webapps_private.