[keycloak-user] SSSD providing metadata for external users?

Richard Abdill rabdill at umn.edu
Wed Apr 25 10:47:03 EDT 2018 

Hi all, Keycloak newbie here. I'm about 90 percent of the way to having a
configuration that works the way I want it to, but the other 10 percent is
giving me a lot of trouble.

The short version: I am wondering if anyone has found a way to pull
information from SSSD about users who have authenticated using an external
identity provider.

Here's the longer version:

* We have an external identity provider we want to make available to users
logging in via our Keycloak server. This part works exactly as expected.
* We have a local LDAP server with group membership information about those
users. The external IdP doesn't know about these groups, and unfortunately
we are unable to push this information up to it.
* Because the schema is kind of weird in our LDAP installation, this group
information is currently being pulled into Keycloak via the SSSD
integration.
* We need users logging in via the IdP to have the group information from
SSSD included in the assertion passed along to the protected application.

Right now, the workflow to make this happen is spread out over multiple
steps:

1. A user logs in via the Keycloak login page, using credentials
authenticated via SSSD.
2. The first time the user logs in, their user is created in Keycloak, and
their group information is (accurately!) pulled in via SSSD.
3. The user would then log out, eventually return to the Keycloak login
page, and log in via the external identity provider instead. THIS is the
way we want users to log in for the most part.
4. The user would be sent back to Keycloak, which would think it was a new
person until the user specifies the username that was created in step 2.
The two accounts are merged.

So, at the end of this process, a user is able to log in via the external
identity provider, and have their group information pulled from SSSD once
they authenticate. This is possible because they basically created two
accounts and linked them together manually, in step 4 above.

**We are trying to find a way to have that linkage happen automatically.**

The basic flow, in theory, would be that the user logs in for the first
time via the external IdP, and then we would just use SSSD to map groups to
that user. Is that possible? I'm not aware of a way to bulk-import users
from SSSD into Keycloak; is that the part that would be required?

Thanks very much for your time, and for reading all the way to the bottom
here. Looking forward to chatting about it.

Regards,
Rich

More information about the keycloak-user mailing list