<div dir="ltr"><div>Hello, <span class="" style="white-space:pre"> </span></div><div><br></div><div>I think it would be helpful if keycloak would store a "note" about where a use came from </div><div>in the user model. Cloud Foundry's UAA stores the "origin system name" (origin) as well as</div><div>the "origin user id" (externalId) in the user model. </div><div><br></div><div>See:</div><div><a href="https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java#L323">https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java#L323</a></div><div><br></div><div>In the UAA case users created by the UAA have the origin set to "uaa" and externalId to null. Other users have a different origin.</div><div><br></div><div>In my federation provider I set custom user attributes <a href="http://origin.name">origin.name</a> and <a href="http://origin.id">origin.id</a> in order to store</div><div>a reference to the original user account. I found this very helpful especially during migration / transition phases as well as for debugging.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-27 19:48 GMT+01:00 Reed Lewis <span dir="ltr"><<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>Scott,</div>
<div> Yes that is exactly what I wish to have happen. If a user is from an external IDP do not check the federation provider at all. The reason for this is I might have users in my federation provider who are going to log in using external IDP going forward.
I wish to have them always use the IDP to login now.</div>
<div><br>
</div>
<div>I checked your suggestion, and my federation provider gets the account name as just the email address, not (idp).email. For example when It is called it comes in as <a href="mailto:foo@google.com" target="_blank">foo@google.com</a> not <a href="mailto:google.foo@google.com" target="_blank">google.foo@google.com</a> so that will not work.</div>
<div><br>
</div>
<div>So I think that there must be changes needed to Keycloak to not check the Federation provider if it comes from an external IDP</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Reed</div>
<div><br>
</div>
<div>
<div></div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Scott Rossillo <<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, January 27, 2016 at 1:02 PM<br>
<span style="font-weight:bold">To: </span>Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
<span style="font-weight:bold">Cc: </span>Thomas Darimont <<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>>, "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><div><div class="h5"><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br>
</div></div></div><div><div class="h5">
<div><br>
</div>
<div>
<div style="word-wrap:break-word">
I think that’s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don’t want to query the federation provider at all when a user signs in with external IDP, right? In that case,
you could modify the findByUsername() method to not create a user if the login is with a IDP. I’m not sure if it still exists in 1.7+ but the username used to be created as
<a href="mailto:idp.email@provider.com" target="_blank">idp.email@provider.com</a> where the IDP is the username prefix.
<div><br>
</div>
<div>Does that make sense / sufficiently address the use case?</div>
<div><br>
</div>
<div>~ Scott<br>
<br>
<div>
<blockquote type="cite">
<div>On Jan 27, 2016, at 12:34 PM, Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>> wrote:</div>
<br>
<div>
<div style="word-wrap:break-word;font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div>This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made.</div>
<div><br>
</div>
<div>The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider
not to check the user Federation provider?</div>
<div><br>
</div>
<div>Thank you,</div>
<div><br>
</div>
<div>Reed Lewis</div>
<div>
<div></div>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:12pt;text-align:left;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)">
<span style="font-weight:bold">From: </span>Scott Rossillo <<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, January 15, 2016 at 4:42 PM<br>
<span style="font-weight:bold">To: </span>Thomas Darimont <<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>>, Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap:break-word">
We just put up and blog post[0] and some sample code[1] on how to do this type of migration.
<div><br>
</div>
<div>[0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a></div>
<div>[1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a></div>
<div><br>
</div>
<div><br>
<div>
<div>Scott Rossillo</div>
<div>Smartling | Senior Software Engineer</div>
<div><a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a></div>
<div><br>
</div>
<div><a href="https://app.sigstr.com/uc/55e5d41c6533390d03580000" style="color:rgb(0,75,118);font-family:gesta,Arial,Helvetica,sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255);outline:0px!important" target="_blank"><img alt="Latest News + Events" border="0" style="border:0px;vertical-align:top;max-width:100%;min-height:auto;width:inherit;color:blue;font-family:Helvetica;font-size:12px"></a><span style="color:rgb(169,169,169);font-family:gesta,Arial,Helvetica,sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)"></span>
<div style="color:rgb(169,169,169);font-family:gesta,Arial,Helvetica,sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)">
<a href="http://www.sigstr.com/" style="color:rgb(0,124,194);text-decoration:none;background-color:transparent;outline:0px!important" target="_blank"><img alt="Powered by Sigstr" border="0" style="border:0px;vertical-align:top;max-width:100%;min-height:auto;width:inherit;color:rgb(99,99,99);font-family:Helvetica;font-size:11px"></a></div>
</div>
</div>
<br>
<div>
<blockquote type="cite">
<div>On Jan 15, 2016, at 11:06 AM, Thomas Darimont <<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>> wrote:</div>
<br>
<div>
<div dir="ltr">
<div>Hello Reed,</div>
<div><br>
</div>
<div>as you already wrote, you can write a federation provider that queries your</div>
<div>backend service via REST for user data.</div>
<div>Within the federation provider you can then import the user data </div>
<div>returned from the REST call. </div>
<div><br>
</div>
<div>This would work as follows - within the method:</div>
<div> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)</div>
<div>you call your backend REST service.</div>
<div><br>
</div>
<div>As a next step you create a new user with the given username</div>
<div> UserModel keycloakUser = session.userStorage().addUser(realm, username);</div>
<div><br>
</div>
<div>Then you copy all the user data from your backend into Keycloak's UserModel.</div>
<div><br>
</div>
<div>After that your backend user has a corresponding representation in Keycloak</div>
<div>with a reference to this federation provider (id) via the "userModel.federationLink" property.</div>
<div><br>
</div>
<div>The federation link will also be shown in the user page in the keycloak admin console.</div>
<div>As long as the federation link is in place keycloak will ask the federation provider </div>
<div>for the latest user data. Once you decide to cut the link to the federation provider you can </div>
<div>simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation</div>
<div> link right after you added the user to Keycloak.</div>
<div><br>
</div>
<div>Keycloak has no link information after that anymore and it will only use the user data stored</div>
<div>in the Keycloak database for that particular user.</div>
<div><br>
</div>
<div>You also have the option to do that for all your users via:</div>
<div> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)<br>
</div>
<div>or just use on demand per User when he / she want's to login for the first time.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-01-15 16:16 GMT+01:00 Reed Lewis <span dir="ltr">
<<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;font-size:14px;font-family:Calibri,sans-serif">
<div>Hi,</div>
<div> We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but
would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.</div>
<div><br>
</div>
<div><br>
</div>
<div>Can this be done with some modification of federation? </div>
<div><br>
</div>
<div>We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.</div>
<div><br>
</div>
<div>Thank you,</div>
<div><br>
</div>
<div>Reed Lewis</div>
<div><br>
</div>
<div> </div>
<div>
<div></div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br></div>