<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
If you're using Keycloak version 1.7 or later, you can create new
"firstBrokerLogin" flow and replace "Create User If Unique"
authenticator with your own implementation. You can create
subclass of IdpCreateUserIfUniqueAuthenticator and override method
"<span style="background-color:#e4e4ff;">checkExistingUser" to not
look for username at federation provider. It can be done if you
use:<br>
</span><br>
context.getSession().<b>userStorage()</b>.getUserByUsername(username,
context.getRealm());<br>
<br>
instead of:<br>
<br>
context.getSession().<b>users()</b>.getUserByUsername(username,
context.getRealm());<br>
<br>
Same for email checking.<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
In that case if you login with user "john" from external identity
provider, the authenticator won't try to find this "john" user in
your external federation provider, but just in Keycloak DB.<br>
<br>
Is this what you are trying to achieve?<br>
<br>
Btv. As pointed already, the keycloak username for user registered
from external IDP looks like "google.john" by default . You can
change this behaviour to use identity provider mapper for
username, which allows you to change the username template and
remove broker prefix from that. So Keycloak will treat this
username as "john". In 1.9 we plan to remove broker prefix by
default and we will always just the username from broker, because
"first login flow" added in Keycloak 1.7 allow us to easily
resolve username conflicts. Corresponding JIRA is:
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2292">https://issues.jboss.org/browse/KEYCLOAK-2292</a><br>
<br>
Marek<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
On 27/01/16 21:28, Reed Lewis wrote:<br>
</div>
<blockquote
cite="mid:1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>
<div>It looks like no matter which External IDP I use, it
always checks the federation provider also which is not
something that I think wants to be done. Is this a bug in
the Keycloak software? </div>
<div><br>
</div>
<div>So it looks like one cannot do external IDP and
federation at the same time. This should be fixed.</div>
<div><br>
</div>
<div>Reed</div>
<div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Scott Rossillo
<<a moz-do-not-send="true"
href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
January 27, 2016 at 1:02 PM<br>
<span style="font-weight:bold">To: </span>Reed Lewis <<a
moz-do-not-send="true" href="mailto:RLewis@carbonite.com"><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>><br>
<span style="font-weight:bold">Cc: </span>Thomas Darimont
<<a moz-do-not-send="true"
href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] External Username, Password, Email... dataset
with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
I think that’s a more general question about user account
merging so maybe one of the core devs can chime in. However,
I just want to clarify, you don’t want to query the
federation provider at all when a user signs in with
external IDP, right? In that case, you could modify the
findByUsername() method to not create a user if the login is
with a IDP. I’m not sure if it still exists in 1.7+ but the
username used to be created as
<a moz-do-not-send="true"
href="mailto:idp.email@provider.com" class="">idp.email@provider.com</a>
where the IDP is the username prefix.
<div class=""><br class="">
</div>
<div class="">Does that make sense / sufficiently address
the use case?</div>
<div class=""><br class="">
</div>
<div class="">~ Scott<br class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jan 27, 2016, at 12:34 PM, Reed Lewis
<<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com" class="">RLewis@carbonite.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; font-size: 14px; font-family:
Calibri, sans-serif;" class="">
<div class="">
<div class="">
<div class="">This is working for me now. I
created a service that listens on a port and
implements the GET, HEAD and POST requests
that are being made.</div>
<div class=""><br class="">
</div>
<div class="">The one issue now is that
integration with other Identity providers
does not work now since it still calls my
server with the username from the external
provider. How can I tell Keycloak that
when a user comes from an external Identity
provider not to check the user Federation
provider?</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
<div class="">
</div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size:
12pt; text-align: left; border-width: 1pt
medium medium; border-style: solid none none;
padding: 3pt 0in 0in; border-top-color:
rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From:
</span>Scott Rossillo <<a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a>><br
class="">
<span style="font-weight:bold" class="">Date:
</span>Friday, January 15, 2016 at 4:42 PM<br
class="">
<span style="font-weight:bold" class="">To: </span>Thomas
Darimont <<a moz-do-not-send="true"
href="mailto:thomas.darimont@googlemail.com"
class="">thomas.darimont@googlemail.com</a>>,
Reed Lewis <<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com" class="">RLewis@carbonite.com</a>><br
class="">
<span style="font-weight:bold" class="">Cc: </span>"<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a>><br
class="">
<span style="font-weight:bold" class="">Subject:
</span>Re: [keycloak-user] External Username,
Password, Email... dataset with Keycloak<br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
We just put up and blog post[0] and some
sample code[1] on how to do this type of
migration.
<div class=""><br class="">
</div>
<div class="">[0]: <a moz-do-not-send="true"
href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/"
class="">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a></div>
<div class="">[1]: <a moz-do-not-send="true"
href="https://github.com/Smartling/keycloak-user-migration-provider"
class="">https://github.com/Smartling/keycloak-user-migration-provider</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior
Software Engineer</div>
<div class=""><a moz-do-not-send="true"
href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>
<div class=""><br class="">
</div>
<div class=""><a moz-do-not-send="true"
href="https://app.sigstr.com/uc/55e5d41c6533390d03580000"
id="campaignblock" target="_blank"
style="box-sizing: border-box;
color: rgb(0, 75, 118);
outline-offset: -2px; font-family:
gesta, Arial, Helvetica, sans-serif;
font-size: 14px; line-height: 20px;
widows: 1; background-color:
rgb(255, 255, 255); outline: 0px
!important;" class=""><img
moz-do-not-send="true" alt="Latest
News + Events"
src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/img"
style="box-sizing: border-box;
border: 0px; vertical-align: top;
max-width: 100%; height: auto;
width: inherit; color: blue;
font-family: Helvetica; font-size:
12px;" class="" border="0"></a><span
style="color: rgb(169, 169, 169);
font-family: gesta, Arial,
Helvetica, sans-serif; font-size:
14px; line-height: 20px; widows: 1;
background-color: rgb(255, 255,
255);" class=""></span>
<div id="watermark" style="box-sizing:
border-box; color: rgb(169, 169,
169); font-family: gesta, Arial,
Helvetica, sans-serif; font-size:
14px; line-height: 20px; widows: 1;
background-color: rgb(255, 255,
255);" class="">
<a moz-do-not-send="true"
href="http://www.sigstr.com/"
style="box-sizing: border-box;
color: rgb(0, 124, 194);
text-decoration: none;
background-color: transparent;
outline: 0px !important;" class=""><img
moz-do-not-send="true"
alt="Powered by Sigstr"
src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/watermark"
style="box-sizing: border-box;
border: 0px; vertical-align:
top; max-width: 100%; height:
auto; width: inherit; color:
rgb(99, 99, 99); font-family:
Helvetica; font-size: 11px;"
class="" border="0"></a></div>
</div>
</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jan 15, 2016, at
11:06 AM, Thomas Darimont <<a
moz-do-not-send="true"
href="mailto:thomas.darimont@googlemail.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a></a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="">Hello Reed,</div>
<div class=""><br class="">
</div>
<div class="">as you already
wrote, you can write a
federation provider that queries
your</div>
<div class="">backend service via
REST for user data.</div>
<div class="">Within the
federation provider you can then
import the user data </div>
<div class="">returned from the
REST call. </div>
<div class=""><br class="">
</div>
<div class="">This would work as
follows - within the method:</div>
<div class="">
org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel,
String)</div>
<div class="">you call your
backend REST service.</div>
<div class=""><br class="">
</div>
<div class="">As a next step you
create a new user with the given
username</div>
<div class=""> UserModel
keycloakUser =
session.userStorage().addUser(realm,
username);</div>
<div class=""><br class="">
</div>
<div class="">Then you copy all
the user data from your backend
into Keycloak's UserModel.</div>
<div class=""><br class="">
</div>
<div class="">After that your
backend user has a corresponding
representation in Keycloak</div>
<div class="">with a reference to
this federation provider (id)
via the
"userModel.federationLink"
property.</div>
<div class=""><br class="">
</div>
<div class="">The federation link
will also be shown in the user
page in the keycloak admin
console.</div>
<div class="">As long as the
federation link is in place
keycloak will ask the federation
provider </div>
<div class="">for the latest user
data. Once you decide to cut the
link to the federation provider
you can </div>
<div class="">simply do
userModel.setFederationLink(null).
You could basically cut (or
rather omit) the federation</div>
<div class=""> link right after
you added the user to Keycloak.</div>
<div class=""><br class="">
</div>
<div class="">Keycloak has no link
information after that anymore
and it will only use the user
data stored</div>
<div class="">in the Keycloak
database for that particular
user.</div>
<div class=""><br class="">
</div>
<div class="">You also have the
option to do that for all your
users via:</div>
<div class="">
org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory,
String,
UserFederationProviderModel)<br
class="">
</div>
<div class="">or just use on
demand per User when he / she
want's to login for the first
time.</div>
<div class=""><br class="">
</div>
<div class="">Cheers,</div>
<div class="">Thomas</div>
</div>
<div class="gmail_extra"><br
class="">
<div class="gmail_quote">2016-01-15
16:16 GMT+01:00 Reed Lewis <span
dir="ltr" class="">
<<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com" target="_blank" class="">RLewis@carbonite.com</a>></span>:<br
class="">
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div style="word-wrap:
break-word; font-size: 14px;
font-family: Calibri,
sans-serif;" class="">
<div class="">Hi,</div>
<div class=""> We are
examining KeyCloak (It
looks like it can do what
we want), but we have the
need to have an external
lookup of accounts who are
not in KeyCloak in an
external database which is
accessible via a REST
call. I know about
federation, but would
prefer to only check the
external datasource if the
user is not in KeyCloak,
but from then on have all
the data “live” in
KeyCloak and never refer
to the external datasource
again once the account is
“migrated” into KeyCloak.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Can this be
done with some
modification of
federation? </div>
<div class=""><br class="">
</div>
<div class="">We do not want
to add the user accounts
directly into KeyCloak as
there are many more there
than will ever be in
KeyCloak.</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
<div class=""><br class="">
</div>
<div class=""> </div>
<div class="">
</div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br
class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br
class="">
</blockquote>
</div>
<br class="">
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br
class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>