[keycloak-dev] Import users from new User Federation
Bill Burke
bburke at redhat.com
Fri Aug 19 09:59:50 EDT 2016
On 8/19/16 2:38 AM, Stian Thorgersen wrote:
>
>
> On 18 August 2016 at 20:30, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>
> On 8/18/16 4:59 AM, Stian Thorgersen wrote:
> > Bill,
> >
> > Are you planing to have an option to allow import of users with the
> > new user federation SPI? I'm not convinced we should completely
> remove
> > this option.
> >
>
> The only callback that does not exist in the new SPI is
> validateAndProxy(). With the current federation SPI, the developer
> implements everything themselves for import. There are no
> synchronization APIs/SPIs either.
> > Some use-cases I could imagine:
> >
> > * Allow users to authenticate even if LDAP server is down
> Our current LDAP provider will not work if LDAP is down, even with the
> import :)
>
>
> > * Allow migrating users away from LDAP
>
> We can do anything we want for our LDAP implementation. This doesn't
> mean that the SPI should have special support methods and
> interfaces for
> synchronization and import.
>
>
> I'd say migrating from one provider to the built-in provider (or even
> a different provider) is something that shouldn't be done by the
> provider themselves, but rather some sort of migration manager util.
Are you just talking about LDAP? Then yes, our LDAP adapter could
support it. Read my previous email though...Unless LDAP exposes
passwords and other credentials so that they could be migrated, I'm not
sure how an import would be done.
If you're talking about any arbitrary provider, I'm not sure what we
could offer for migration manager utils as we will have no idea how the
data is stored.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160819/8d511f52/attachment.html
More information about the keycloak-dev
mailing list