[keycloak-dev] Sync + federation

Marek Posolda mposolda at redhat.com
Thu Jul 31 07:33:35 EDT 2014 

Hi,

at this moment I have Sync with LDAP working (one way sync for importing 
LDAP users into Keycloak). I tested with ActiveDirectory and OpenDS. On 
both I have paginated and also full/partial periodic sync working. Also 
UserFederationProvider seems to be working with Active Directory now!

Pedro mentioned that he will do timestamped picketlink release once we 
need it. So far all the LDAP related issues should be fixed, so I've 
asked him for doing one. Let me know if you are aware of more issues.

The question is how to properly incorporate sync with current federation 
stuff? It looks that both should work together (for example if customer 
is going to write his FederationProvider to retrieve data from his DB, 
he will also likely want to sync users from same DB). Also sync process 
would likely need access to the federation configuration in 
UserFederationProviderModel, but some configuration of Sync will be 
common for all FederationProviders (For example pagination, periodic for 
full/partial sync etc). So I wonder if we can add properties like this 
directly into UserFederationProviderModel:

boolean enablePagination;
int pageSize;
long fullSyncPeriod;      // -1 if periodic fullSync should be disabled
long partialSyncPeriod;   // -1 if perodic partialSync should be disabled

And for Admin console UI, we can have some common template, which can be 
added into page of particular Federation Provider. For example on 
federated-ldap.html or federated-generic.html there can be checkbox on 
the bottom of the page like "enable synchronization of users" and when 
people check it, it will display other settings (pagination, period for 
full/partial sync, button for trigger sync directly from admin console etc).

Also not sure how to properly incorporate it into UserFederationProvider 
API... Actually UserFederationProvider is supposed to be per-session 
component whenever Sync process may actually use more 
session/transaction lifecycles. So adding methods for sync directly into 
UserFederationProvider may not work though... I wonder if we can have 
method on UserFederationProviderFactory:

UserSyncProvider getInstance(KeycloakSessionFactory sessionFactory, 
UserFederationProviderModel model);

And UserSyncProvider being something like this:

public interface UserSyncProvider {
   void syncAllUsers(KeycloakSessionFactory sessionFactory, 
UserFederationProviderFactory fedFactory, String realmId, 
UserFederationProviderModel fedModel)
   void syncChangedUsers(KeycloakSessionFactory sessionFactory, 
UserFederationProviderFactory fedFactory, String realmId, 
UserFederationProviderModel fedModel, Date lastSync);
}

UserFederationProviderFactory may not be needed though as it can be 
retrieved from KeycloakSessionFactory+UserFederationProviderModel, just 
a convenience as UserSyncProvider will likely almost always need it. wdyt?

Note that I already have sync working with LDAP, so once we decide on 
API+configuration and once we have picketlink release, I can easily 
incorporate it.

Marek

More information about the keycloak-dev mailing list