[keycloak-user] External Username, Password, Email... dataset with Keycloak

Thomas Darimont thomas.darimont at googlemail.com
Wed Jan 27 14:06:46 EST 2016 

Hello,

I think it would be helpful if keycloak would store a "note" about where a
use came from
in the user model. Cloud Foundry's UAA stores the "origin system name"
(origin) as well as
the "origin user id" (externalId) in the user model.

See:
https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java#L323

In the UAA case users created by the UAA have the origin set to "uaa" and
externalId to null. Other users have a different origin.

In my federation provider I set custom user attributes origin.name and
origin.id in order to store
a reference to the original user account. I found this very helpful
especially during migration / transition phases as well as for debugging.

Cheers,
Thomas

2016-01-27 19:48 GMT+01:00 Reed Lewis <RLewis at carbonite.com>:

> Scott,
>   Yes that is exactly what I wish to have happen.  If a user is from an
> external IDP do not check the federation provider at all.   The reason for
> this is I might have users in my federation provider who are going to log
> in using external IDP going forward. I wish to have them always use the IDP
> to login now.
>
> I checked your suggestion, and my federation provider gets the account
> name as just the email address, not (idp).email.   For example when It is
> called it comes in as foo at google.com   not google.foo at google.com so that
> will not work.
>
> So I think that there must be changes needed to Keycloak to not check the
> Federation provider if it comes from an external IDP
>
> Thanks,
>
> Reed
>
>
> From: Scott Rossillo <srossillo at smartling.com>
> Date: Wednesday, January 27, 2016 at 1:02 PM
> To: Reed Lewis <RLewis at carbonite.com>
> Cc: Thomas Darimont <thomas.darimont at googlemail.com>, "
> keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>
> Subject: Re: [keycloak-user] External Username, Password, Email...
> dataset with Keycloak
>
> I think that’s a more general question about user account merging so maybe
> one of the core devs can chime in. However, I just want to clarify, you
> don’t want to query the federation provider at all when a user signs in
> with external IDP, right? In that case, you could modify the
> findByUsername() method to not create a user if the login is with a IDP.
> I’m not sure if it still exists in 1.7+ but the username used to be created
> as idp.email at provider.com where the IDP is the username prefix.
>
> Does that make sense / sufficiently address the use case?
>
> ~ Scott
>
> On Jan 27, 2016, at 12:34 PM, Reed Lewis <RLewis at carbonite.com> wrote:
>
> This is working for me now.  I created a service that listens on a port
> and implements the GET, HEAD and POST requests that are being made.
>
> The one issue now is that integration with other Identity providers does
> not work now since it still calls my server with the username from the
> external provider.    How can I tell Keycloak that when a user comes from
> an external Identity provider not to check the user Federation provider?
>
> Thank you,
>
> Reed Lewis
>
> From: Scott Rossillo <srossillo at smartling.com>
> Date: Friday, January 15, 2016 at 4:42 PM
> To: Thomas Darimont <thomas.darimont at googlemail.com>, Reed Lewis <
> RLewis at carbonite.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] External Username, Password, Email...
> dataset with Keycloak
>
> We just put up and blog post[0] and some sample code[1] on how to do this
> type of migration.
>
> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
> [1]: https://github.com/Smartling/keycloak-user-migration-provider
>
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Latest News + Events]
> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Jan 15, 2016, at 11:06 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
> Hello Reed,
>
> as you already wrote, you can write a federation provider that queries your
> backend service via REST for user data.
> Within the federation provider you can then import the user data
> returned from the REST call.
>
> This would work as follows - within the method:
>   org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel,
> String)
> you call your backend REST service.
>
> As a next step you create a new user with the given username
>   UserModel keycloakUser = session.userStorage().addUser(realm, username);
>
> Then you copy all the user data from your backend into Keycloak's
> UserModel.
>
> After that your backend user has a corresponding representation in Keycloak
> with a reference to this federation provider (id) via the
> "userModel.federationLink" property.
>
> The federation link will also be shown in the user page in the keycloak
> admin console.
> As long as the federation link is in place keycloak will ask the
> federation provider
> for the latest user data. Once you decide to cut the link to the
> federation provider you can
> simply do userModel.setFederationLink(null). You could basically cut (or
> rather omit) the federation
>  link right after you added the user to Keycloak.
>
> Keycloak has no link information after that anymore and it will only use
> the user data stored
> in the Keycloak database for that particular user.
>
> You also have the option to do that for all your users via:
>
> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory,
> String, UserFederationProviderModel)
> or just use on demand per User when he / she want's to login for the first
> time.
>
> Cheers,
> Thomas
>
> 2016-01-15 16:16 GMT+01:00 Reed Lewis <RLewis at carbonite.com>:
>
>> Hi,
>>    We are examining KeyCloak (It looks like it can do what we want), but
>> we have the need to have an external lookup of accounts who are not in
>> KeyCloak in an external database which is accessible via a REST call.   I
>> know about federation, but would prefer to only check the external
>> datasource if the user is not in KeyCloak, but from then on have all the
>> data “live” in KeyCloak and never refer to the external datasource again
>> once the account is “migrated” into KeyCloak.
>>
>>
>> Can this be done with some modification of federation?
>>
>> We do not want to add the user accounts directly into KeyCloak as there
>> are many more there than will ever be in KeyCloak.
>>
>> Thank you,
>>
>> Reed Lewis
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/2bcf4d29/attachment.html

More information about the keycloak-user mailing list