Morning SO,
This may be a really silly question - but I have recently inherited the caretaker role for SCM and have to try to cheat my way through.
I can add new users to SCM, but my team and I are all of type "ActiveDirectory" whilst new users all default to "xml"...
how can I change these types?
The user type depends on the authentication solution you use. The default way is the "xml" type which means a local user. You can manage them through SCM-Managers user control. Users from an external authentication provider like LDAP or Active Directory are automatically created by their first successful login attempt to SCM-Manager.
You can't and don't need to create users from an external authentication provider manually. To assign a group the a new user or to define a special permission, you can type the expected username to the free text field of the group/permission control.
Related
I have 2 Keycloak instances:
KC1 which is the main Keycloak for my app
KC2 which acts as an IDP (linked to KC1 via SAML protocol)
I'm trying to retrieve users info (email, name and roles, mainly) in KC1 whenever a SSO user (from KC2) connects to my app. As far as I understand this should be done via IDP mappers.
I tried creating multiple ones with the "Attribute Importer" type with no success. The main problem is that attribute name fields are just textboxes. I don't know where to look to get the correct value I should enter here. For instance for email I tried multiple things like "email", "emailAddress", "mail", etc.. (with all possible cases, i.e. all uppercase, all lowercase, camelcase, etc.) but this is just guess work.
Is there a table somewhere telling what we should enter here? Or at least some way to see what is being sent in the claims (everything is very auto-magic so it's hard to know what's going on under the hood).
The documentation ( https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers ) mentions that you can put the log level to debug to see the claims. Couldn't see them personally, so not sure about that.
Edit : found the problem for basic info (I had to create client scopes with the correct protocol, in my case SAML, and then bind it in the client on the KC2 side. Then use the SAML attribute name defined in the client scope mapper).
However, I still struggle for the roles. Do I have to create them on the KC1 side as well?
Edit 2 : Solved. For future reference, the roles can be found in the access token (not the ID token like basic user info), but they have to be mapped in KC1 to be visible there.
However, I still struggle for the roles. Do I have to create them on
the KC1 side as well?
You can't simply import the roles from KC2 directly to KC1. Instead, you have to create the roles that you want in KC1, and in the appropriate IDP configuration section (of KC1) create a External Role to Role Mapper:
Where you map the role that the user has on the external IDP (i.e., KC2) to the one that the user should have in the KC1. Do that for every role that you want to map.
For SAML IdP integrations you can try the same idea but using the Advance Attribute to Role mapper:
I want to use custom claims in my Firestore security rules but I read that they can apparently be overwritten by users:
However, if the same custom user claims are defined on a user signed
in via custom authentication, the overlapping claims defined in the
custom token have higher priority and always overwrite the custom user
claims defined on a user via this API.
[https://firebase.google.com/docs/auth/admin/custom-claims][1]
Which defeats the purpose, so I guess I must be missing something?
EDIT: moved extra question to another post
A user cannot set custom claims on their own account. The only way to set custom claims on a user profile is through the Admin SDK, which requires that you have access to the project credentials of the Firebase project, something only collaborators on that project do.
I'm investigating a migration process from a legacy system into keycloak. Based on some of the ideas here: https://github.com/Smartling/keycloak-user-migration-provider we're looking to create user accounts in keycloak at the point of login by looking up user credentials from some dedicated endpoints on our legacy system.
As part of this, I need the user ID to remain the same as it was in the legacy system.
Is it possible to create a user with a specified ID rather than relying on keycloak to auto-generate it?
Running into this issue when attempting to create users via the API, I looked into the code for the users service. It looks like it is currently not possible to set the user id due to how the user is created.
From the code in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java specifically on line https://github.com/keycloak/keycloak/blob/7cfe6addf01676939206e034a87c791460031032/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L115 the user is first created using the username, then updated. I believe id is not an updatable field. Thus it is not currently possible.
Checking the api I see it is now possible to add an optional "id" field in the userRepresentation object that you pass to create a new user in keycloak.
Find more information here: https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_userrepresentation
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
I'm using Typo3 6.2 and I have added a user account (backend user). When I now login with this new user I get the error message "no module found". When I login again with my admin account everything is fine. How can I fix this?
You have probably created an unprivileged user (editor). You need to explicitely give users access to
Backend modules
Subtrees of the page tree
Folders
Tables
and so on.
To do that, you usually create a backend user group, set the permissions for this group, and assign it to the user.
You can create the group either on the root page (id 0) as record or in the user management module, where you assign the groups to users.
There are two functionalities two make pages visible for users/groups:
You need to add the root of the subtree a groups should be able to use to the group as a mount point.
You need to give the group the right to view/edit/delete/update the pages. You can do that as admin in the "Access"-module. It's similar to the Unix owner/group concept.