<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div>
<div><font face="Calibri,sans-serif">I modified the Keycloak code directly in the method you mentioned, recompiled the whole packa</font>ge, and attempted to use it. The issue now is that when I log in using a external Identity provider, and have a User Federation
defined, I still get called in my user federation with the username that is from the IDP. Plus the login screen shows me a screen with “ACCOUNT ALREADY EXISTS” and an option to review the profile info or Link Google with existing account.</div>
<div><br>
</div>
<div>The account does not exist before starting the login process.</div>
<div><br>
</div>
<div>Thank you for all your help in getting this working. I am attempting to use 1.8RC3 BTW.</div>
<div><br>
</div>
<div>Reed</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, January 28, 2016 at 6:12 AM<br>
<span style="font-weight:bold">To: </span>Reed Lewis <<a href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a>>, Scott Rossillo <<a href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
If you're using Keycloak version 1.7 or later, you can create new "firstBrokerLogin" flow and replace "Create User If Unique" authenticator with your own implementation. You can create subclass of IdpCreateUserIfUniqueAuthenticator and override method "<span style="background-color:#e4e4ff;">checkExistingUser"
to not look for username at federation provider. It can be done if you use:<br>
</span><br>
context.getSession().<b>userStorage()</b>.getUserByUsername(username, context.getRealm());<br>
<br>
instead of:<br>
<br>
context.getSession().<b>users()</b>.getUserByUsername(username, context.getRealm());<br>
<br>
Same for email checking.<br>
<br>
In that case if you login with user "john" from external identity provider, the authenticator won't try to find this "john" user in your external federation provider, but just in Keycloak DB.<br>
<br>
Is this what you are trying to achieve?<br>
<br>
Btv. As pointed already, the keycloak username for user registered from external IDP looks like "google.john" by default . You can change this behaviour to use identity provider mapper for username, which allows you to change the username template and remove
broker prefix from that. So Keycloak will treat this username as "john". In 1.9 we plan to remove broker prefix by default and we will always just the username from broker, because "first login flow" added in Keycloak 1.7 allow us to easily resolve username
conflicts. Corresponding JIRA is: <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2292">
https://issues.jboss.org/browse/KEYCLOAK-2292</a><br>
<br>
Marek<br>
<br>
<br>
On 27/01/16 21:28, Reed Lewis wrote:<br>
</div>
<blockquote cite="mid:1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com" type="cite">
<div>
<div>
<div>It looks like no matter which External IDP I use, it always checks the federation provider also which is not something that I think wants to be done. Is this a bug in the Keycloak software? </div>
<div><br>
</div>
<div>So it looks like one cannot do external IDP and federation at the same time. This should be fixed.</div>
<div><br>
</div>
<div>Reed</div>
<div></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Scott Rossillo <<a moz-do-not-send="true" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, January 27, 2016 at 1:02 PM<br>
<span style="font-weight:bold">To: </span>Reed Lewis <<a moz-do-not-send="true" href="mailto:RLewis@carbonite.com"></a><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a>><br>
<span style="font-weight:bold">Cc: </span>Thomas Darimont <<a moz-do-not-send="true" href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a>>, "<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
I think that’s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don’t want to query the federation provider at all when a user signs in with external IDP, right? In that case,
you could modify the findByUsername() method to not create a user if the login is with a IDP. I’m not sure if it still exists in 1.7+ but the username used to be created as
<a moz-do-not-send="true" href="mailto:idp.email@provider.com" class="">idp.email@provider.com</a> where the IDP is the username prefix.
<div class=""><br class="">
</div>
<div class="">Does that make sense / sufficiently address the use case?</div>
<div class=""><br class="">
</div>
<div class="">~ Scott<br class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jan 27, 2016, at 12:34 PM, Reed Lewis <<a moz-do-not-send="true" href="mailto:RLewis@carbonite.com" class="">RLewis@carbonite.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; font-size: 14px; font-family:
Calibri, sans-serif;" class="">
<div class="">
<div class="">
<div class="">This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made.</div>
<div class=""><br class="">
</div>
<div class="">The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider
not to check the user Federation provider?</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
<div class=""></div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size:
12pt; text-align: left; border-width: 1pt
medium medium; border-style: solid none none;
padding: 3pt 0in 0in; border-top-color:
rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Scott Rossillo <<a moz-do-not-send="true" href="mailto:srossillo@smartling.com" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Friday, January 15, 2016 at 4:42 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Thomas Darimont <<a moz-do-not-send="true" href="mailto:thomas.darimont@googlemail.com" class="">thomas.darimont@googlemail.com</a>>, Reed Lewis <<a moz-do-not-send="true" href="mailto:RLewis@carbonite.com" class="">RLewis@carbonite.com</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
We just put up and blog post[0] and some sample code[1] on how to do this type of migration.
<div class=""><br class="">
</div>
<div class="">[0]: <a moz-do-not-send="true" href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" class="">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a></div>
<div class="">[1]: <a moz-do-not-send="true" href="https://github.com/Smartling/keycloak-user-migration-provider" class="">https://github.com/Smartling/keycloak-user-migration-provider</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior Software Engineer</div>
<div class=""><a moz-do-not-send="true" href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>
<div class=""><br class="">
</div>
<div class=""><a moz-do-not-send="true" href="https://app.sigstr.com/uc/55e5d41c6533390d03580000" id="campaignblock" target="_blank" style="box-sizing: border-box;
color: rgb(0, 75, 118);
outline-offset: -2px; font-family:
gesta, Arial, Helvetica, sans-serif;
font-size: 14px; line-height: 20px;
widows: 1; background-color:
rgb(255, 255, 255); outline: 0px
!important;" class=""><img moz-do-not-send="true" alt="Latest
News + Events" src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/img" style="box-sizing: border-box;
border: 0px; vertical-align: top;
max-width: 100%; height: auto;
width: inherit; color: blue;
font-family: Helvetica; font-size:
12px;" class="" border="0"></a><span style="color: rgb(169, 169, 169); font-family: gesta, Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; widows: 1; background-color: rgb(255, 255, 255);" class=""></span>
<div id="watermark" style="box-sizing:
border-box; color: rgb(169, 169,
169); font-family: gesta, Arial,
Helvetica, sans-serif; font-size:
14px; line-height: 20px; widows: 1;
background-color: rgb(255, 255,
255);" class="">
<a moz-do-not-send="true" href="http://www.sigstr.com/" style="box-sizing: border-box;
color: rgb(0, 124, 194);
text-decoration: none;
background-color: transparent;
outline: 0px !important;" class=""><img moz-do-not-send="true" alt="Powered by Sigstr" src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/watermark" style="box-sizing: border-box;
border: 0px; vertical-align:
top; max-width: 100%; height:
auto; width: inherit; color:
rgb(99, 99, 99); font-family:
Helvetica; font-size: 11px;" class="" border="0"></a></div>
</div>
</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jan 15, 2016, at 11:06 AM, Thomas Darimont <<a moz-do-not-send="true" href="mailto:thomas.darimont@googlemail.com" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="">Hello Reed,</div>
<div class=""><br class="">
</div>
<div class="">as you already wrote, you can write a federation provider that queries your</div>
<div class="">backend service via REST for user data.</div>
<div class="">Within the federation provider you can then import the user data </div>
<div class="">returned from the REST call. </div>
<div class=""><br class="">
</div>
<div class="">This would work as follows - within the method:</div>
<div class=""> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)</div>
<div class="">you call your backend REST service.</div>
<div class=""><br class="">
</div>
<div class="">As a next step you create a new user with the given username</div>
<div class=""> UserModel keycloakUser = session.userStorage().addUser(realm, username);</div>
<div class=""><br class="">
</div>
<div class="">Then you copy all the user data from your backend into Keycloak's UserModel.</div>
<div class=""><br class="">
</div>
<div class="">After that your backend user has a corresponding representation in Keycloak</div>
<div class="">with a reference to this federation provider (id) via the "userModel.federationLink" property.</div>
<div class=""><br class="">
</div>
<div class="">The federation link will also be shown in the user page in the keycloak admin console.</div>
<div class="">As long as the federation link is in place keycloak will ask the federation provider </div>
<div class="">for the latest user data. Once you decide to cut the link to the federation provider you can </div>
<div class="">simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation</div>
<div class=""> link right after you added the user to Keycloak.</div>
<div class=""><br class="">
</div>
<div class="">Keycloak has no link information after that anymore and it will only use the user data stored</div>
<div class="">in the Keycloak database for that particular user.</div>
<div class=""><br class="">
</div>
<div class="">You also have the option to do that for all your users via:</div>
<div class=""> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)<br class="">
</div>
<div class="">or just use on demand per User when he / she want's to login for the first time.</div>
<div class=""><br class="">
</div>
<div class="">Cheers,</div>
<div class="">Thomas</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">2016-01-15 16:16 GMT+01:00 Reed Lewis <span dir="ltr" class="">
<<a moz-do-not-send="true" href="mailto:RLewis@carbonite.com" target="_blank" class="">RLewis@carbonite.com</a>></span>:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div style="word-wrap:
break-word; font-size: 14px;
font-family: Calibri,
sans-serif;" class="">
<div class="">Hi,</div>
<div class=""> We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but
would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Can this be done with some modification of federation? </div>
<div class=""><br class="">
</div>
<div class="">We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
<div class=""><br class="">
</div>
<div class=""> </div>
<div class=""></div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="">
</blockquote>
</div>
<br class="">
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span><br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</span>
</body>
</html>