I'm upgrading my Keycloak from 16 to 20.
In 16 I could use this screen to add a custom mapper.
In 20.0.2 I can't find this form in the admin panel. There is a Client scopes tab for each client, and it has an add button. But it does not allow me to define my custom mapper. I just adds predefined mappers.
Where is that form?
How can I add custom mapper to a client in Keycloak 20.0.2?
IMO the old ui was a bit more intuitive in this regard. With the new one you need to:
Go to your Realm
Go to Clients and click on your client
switch to 'Client Scopes'
In the 'Assigned client scope' click on your client-id-dedicated:
then you go to the following menu:
Click on 'Configure a new Mapper' and then select 'User Attribute' and you get something as follow:
Related
I'd like to add dedicated scopes to a client so that it can access information from other clients.
Turning full access on works but grants too many permissions.
The scopes are already created with their respective clients. It is “only” a matter of assigning scope from client a to client b. I have a list of names and client ids available locally. How can I efficiently assign them via kcadm.sh?
I already tried with the network tab open but I couldn't wrap my head around what the logic behind assigning scopes is.
E.g., there is a
POST /admin/realms/master/clients/968c7b36-95dd-4121-b92b-37b324298890/scope-mappings/realm with an empty array as payload
POST /admin/realms/master/clients/968c7b36-95dd-4121-b92b-37b324298890/scope-mappings/clients/74cb7b05-34d5-4657-8fe6-bb19a7c8a07f from the APIDOC it just says client. But I don't know what that client should be.
How to reproduce on Keycloak (X) 20.0.3
Login to the Keycloak Admin Console
Click on the client tab
Click createClient
Create client id and click next.
Click save.
On the new client. Click on the upper tab 'Client scopes'.
Click on the first blue item.
Click on the upper tab 'scope' and turn off full scope allowed.
Click assign role and add one of the items.
This is what I want to achieve with the help of the kcadm.sh as clients are added dynamically. You can't even export the client from Actions->Export and Import it again from the UI. Every scope is lost when imported again.
To assign role from client A to client B at the bear minimal you need the following Rest Full API call:
POST /admin/realms/ <REALM NAME> /clients/< ID OF THE CLIENT >/scope-mappings/clients/< ID OF THE CLIENT where the role comes from>
so in your case /admin/realms/ <REALM NAME> /clients/< ID OF CLIENT B >/scope-mappings/clients/ < ID OF CLIENT A>
the payload should be [{"id":"<ID OF ROLE>","name":"<ROLE NAME>"}]
You will need the call to get the id of the client for that you can call:
GET /{realm}/clients
with clientId as query parameter.
And then you will need the call to get the ID of the role, for that you can use:
GET /{realm}/clients/{id}/roles/{role-name}
id is the id of the client.
Could the ID for a user be retrieved to be sent as a SAML attribute to a Client?
Thank you.
I have not work with SAML before but I think that what you want can be done by:
Go to the Realm where the client is;
Go to the Client;
Select Mappers;
Click on [Create];
As mapper type chose Javascript Mapper;
In the script type user.id
Fill up the rest accordingly, and click [save];
As pointed out by #Jan Garaj in the comments:
Script for Javascript Mapper is (already/still) deprecated feature and
it may be removed in the further Keycloak release.
You can use a User Property Mapper:
Go to the Realm where the client is;
Go to the Client;
Select Mappers;
Click on [Create];
As mapper type chose User Property;
In the property type id
Fill up the rest accordingly, and click [save];
In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>
We're using the Recruiting Taleo (14A) module and I was wanting to pull a list of external and internal users (login, email, internal/external, etc) from Taleo Connect Client (12A).
Does anyone know how to do this? Or where to pull the data from? Thanks
I believe the entity you are looking for is Candidate. Taleo Connect Client has a built in template for exporting candidates, which includes usernames and email addresses.
Open Taleo Connect Client and select File → New → New Export Wizard.
Click the Product dropdown and select your Taleo product version.
In the list of entities, select Candidate.
Under the Template section, select Create export from a template.
Click the Template dropdown and select Standard Candidate export (CSV-ENTITY).
Click Finish to create your new export.
Note: The candidate export template for Recruiting Taleo 14A appears to be based on Recruiting 10.0.1. This can be fixed either by creating an export without a template, or by changing productCode="PRO1001" to productCode="RC1401" in the source file.
You can customize your export's projections and filters to suit your needs. Alternatively, if you don't want to start from a template, you can create a new export instead.
Once your export is saved, you can run it by creating a new configuration.
Open File → New → New Configuration Wizard.
Select Based on an export specification.
Click the three dots ... next to File and select your export.
Click Next to move to the next page.
Select your Taleo Endpoint, then click Finish.
Save & run your configuration.
On creation of new external user from ATG BCC, I need to include some logic like encrypting password and sending email to user. Achieved this functionality by extending GSAPropertyDescriptor class and overriding its getPropertyValue(RepositoryItemImpl pItem, Object pValue) method.
Problem is, this method is getting called only when we click on create button from "General" tab present in users section, but not on click of same create button from other tabs like "Commerce", "Orgs & Roles", "User Segments" and "Advanced".
Please suggest!!
It is not a good idea to override getPropertyValue of an item for this implementation. The right way to do this is to work with the formhandler that is responsible for saving the user. It is a bit tricky to find this formhandler. It will be in the atg/web/viewmapping/ViewMappingRepository/ of the BCC instance. In this repository there will be lots of formhandlers configured for different purposes. You have to pick the one relevant for the user edit. Here is an example of what you might find there:
With this, you go to appropriate Formhanlder, like /atg/web/assetmanager/editor/profile/UserFormHandler mentioned here. And override that component in your module with your own implementation. Once that is done, you'll have the control of the action. You can do your work and pass on the control to super class (the original implementation).
Regards,
Jags