I am using Keycloak 9.0.3 with a LDAP-user federation, with edit mode = WRITABLE and Import Users = on.
I am developing a spring boot application that should call the Keycloak REST API to create, update, delete users and groups in LDAP. I also created "group-ldap-mapper" in my user federation to map LDAP-Groups to Keycloak-Groups and vise-versa.
My requirement is to create and delete Keycloak-groups via the REST API and they get mapped to groups in LDAP using the mapper above. When my application calls POST /{realm}/groups Keycloak just creates the group in Keycloak-DB and does not synchronise to LDAP unless the group gets assigned to some user. This is actually not a big problem.
The real problem is when my application deletes the group via DELETE /{realm}/groups/{id}. The groups gets deleted from the Keycloak-DB but not from LDAP.
An acceptable workaround would be to call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync which synchronises the Groups and does the job.
The problem in this workaround, that there is no way to get the federation mapper id ({id}) other than hardcoding it in the spring application. There is no REST-Call to retrieve this id programatically.
Any idea how to solve this?
I figured out how to find the ids of the federation and the group-ldap-mapper programatically to use them in the call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync.
One can call GET /{realm}/components. This returns among other things federation and mappers. In my case I could find the federation id from the UserRepresentation and then I used it to filter the components (parent={federation id}). According to documentation there is also a type Query, but I could not figure out the right value.
Related
I am stuck in the following problem, has anyone faced the same?
I have got two services using apollo-server with graphql using mongodb:
Group service
User service
Group service contains “users” which will be resolved from User service.
Need to pass user while creating group, is it possible to check whether that user exist or not in User service before creating group in Group Service?
or any other way?
If each micro-service has its own mongo database, I would recommend storing users in the Group service as well. It does not need to have all the user information (in fact it probably should not), just the ID would be sufficient.
Otherwise the solution would be to call the Users micro-service from the Ground micro-service, although ideally micro-services should not rely on each other.
Consider the following scenario: you have a SSO service (let's say Keycloak), and X applications, that have their own databases, where somewhere in each database, you're referencing a user_id. How to handle this? How to satisfy the foreign constrain problem? Should one synchronise Keycloak, and the applications? How? What are some best practices? What are some experiences?
I've been using Keycloak for several years, and in my experience there are several scenarios regarding synchronizing user data between Keycloak
and your application's database :
Your application is the owner of the user data.
Keycloak is only used for authentication/authorization purposes. In this scenario, your application creates/updates a keycloak user using the admin rest API when needed.
Keycloak is the owner of the user data and you don't need more info than the userid in your database.
In this scenario everything regarding users could be managed by Keycloak (registration, user account parameters, even resource sharing using the authorization services).
Users would be referenced by userid in the database when needed.
NB: You can easily add custom data to the user in Keycloak using the user attributes but one interesting possibility is to extend the user model directly using this : https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
Keycloak is the owner of the user data and you need more than just the user id (email, firstname, etc)
If performance is not an issue, you could retrieve user info via the Admin Rest API when needed.
If performance is an issue you'll need a copy of Keycloak's user data in your app's database, and you would want that copy to be updated on every user changes.
To do that you could implement callbacks in keycloak (using SPIs: https://www.keycloak.org/docs/latest/server_development/index.html#_events), that will notify your application when an user is created/updated.
NB : You could also use a Change Data Capture tools (like Debezium: https://debezium.io/) to synchronize Keycloak's database with yours.
There's pros and cons to each scenario, you'll have to choose the one which better suits your needs :)
I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .
Please guide and help in this matter .
Thanks Siddharth
Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:
Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:
You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.
Let me know if this works for you!
Original Answer:
As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.
Please also check out this discussion for more information.
I'm investigating a migration process from a legacy system into keycloak. Based on some of the ideas here: https://github.com/Smartling/keycloak-user-migration-provider we're looking to create user accounts in keycloak at the point of login by looking up user credentials from some dedicated endpoints on our legacy system.
As part of this, I need the user ID to remain the same as it was in the legacy system.
Is it possible to create a user with a specified ID rather than relying on keycloak to auto-generate it?
Running into this issue when attempting to create users via the API, I looked into the code for the users service. It looks like it is currently not possible to set the user id due to how the user is created.
From the code in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java specifically on line https://github.com/keycloak/keycloak/blob/7cfe6addf01676939206e034a87c791460031032/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L115 the user is first created using the username, then updated. I believe id is not an updatable field. Thus it is not currently possible.
Checking the api I see it is now possible to add an optional "id" field in the userRepresentation object that you pass to create a new user in keycloak.
Find more information here: https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_userrepresentation
I am trying to find rest api which will tell me who is owner or admin of group using openAM restAPI.
Is this scenario valid by openAM? OR it does not support any such API .I am trying to dig documents of openAM till date but no luck yet.
Can anyone suggest if there is any API.
After going through docs in more details of openAM and looking at default openDJ schema i got to know there is attribute named owner. This attribute can be used for groups while creating them. But before i use this attribute i need to add to openAM through openAM console i.e configure the DATA Store in openAM and add the group attribute "owner". Now from my application through rest calls i set this "owner" attribute while creating group. SO i can see now who created the group information.
I have detail steps on this, if still anser is not clear let me know i can help here more.