6:20 a.m.
Hello,
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
https://issues.jboss.org/browse/KEYCLOAK-2537
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
Email
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
/users
- extend views to be able to edit SCIM user attributes using the
web ui
-
- All the above again for the Groups endpoint
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Best regards,
Sebastian
7:04 a.m.
Hello Sebastian,
having scim support built-in keycloak would be awesome!
I'd take a look at other implementations, e.g. the scim support in Cloud
Foundys UAA:
https://github.com/cloudfoundry/uaa/tree/develop/server/src/main/java/org...
There you can see what's involved.
Cheers,
Thomas
Lösch, Sebastian <Sebastian.Loesch(a)governikus.de> schrieb am Mi., 29. Aug.
2018, 13:28:
Hello,
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
https://issues.jboss.org/browse/KEYCLOAK-2537
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
Email
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
/users
- extend views to be able to edit SCIM user attributes using the
web ui
- …
- All the above again for the Groups endpoint…
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Best regards,
Sebastian
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:21 a.m.
Adding additional attributes to user entity is probably not the way to go.
Rather, it would be better for backwards compatibility to simply use
generic key/value attributes which the user entity already has.
Implementing the SCIM endpoints is probably pretty straightforward. Most of
the work will probably be down to testing and documentation.
On Wed, 29 Aug 2018 at 13:28, Lösch, Sebastian <
Sebastian.Loesch(a)governikus.de> wrote:
Hello,
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
https://issues.jboss.org/browse/KEYCLOAK-2537
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
Email
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
/users
- extend views to be able to edit SCIM user attributes using the
web ui
- …
- All the above again for the Groups endpoint…
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Best regards,
Sebastian
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:40 a.m.
Hello Stian,
thank you for your input. Storing additional SCIM attributes as key/value pairs in the
USER_ATTRIBUTE table has two drawbacks:
- Storing of multivalued complex attributes becomes difficult. E.g. the SCIM
phone number type has 4 attributes „value“, „display“, „type“ and „primary“ and each user
may have many phone number objects.
- Searching for users by attributes becomes difficult und maybe has a bad
performance because of the SQL.
Do you still think that’s the preferred way to go?
Best regards,
Sebastian
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Montag, 3. September 2018 12:21
An: Lösch, Sebastian <Sebastian.Loesch(a)governikus.de>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Betreff: Re: [keycloak-dev] SCIM v2 support
Adding additional attributes to user entity is probably not the way to go. Rather, it
would be better for backwards compatibility to simply use generic key/value attributes
which the user entity already has.
Implementing the SCIM endpoints is probably pretty straightforward. Most of the work will
probably be down to testing and documentation.
On Wed, 29 Aug 2018 at 13:28, Lösch, Sebastian
<Sebastian.Loesch@governikus.de<mailto:Sebastian.Loesch@governikus.de>>
wrote:
Hello,
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
https://issues.jboss.org/browse/KEYCLOAK-2537
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
Email
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
/users
- extend views to be able to edit SCIM user attributes using the
web ui
- …
- All the above again for the Groups endpoint…
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Best regards,
Sebastian
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:15 a.m.
It's not ideal, but adding columns for every additional attribute is also
far from ideal. Then there's the issue with backwards compatibility with
regards to user storage providers as that is a supported SPI and the API
needs to remain backwards compatible.
An complicating factor for SCIM will be user storage providers. Attributes,
queries, etc. should all work when there are user storage providers in the
realm. These could be LDAP or a custom implementation.
Queries on attributes shouldn't be to bad as long as the query is written
properly.
On Tue, 4 Sep 2018 at 08:41, Lösch, Sebastian <
Sebastian.Loesch(a)governikus.de> wrote:
Hello Stian,
thank you for your input. Storing additional SCIM attributes as key/value
pairs in the USER_ATTRIBUTE table has two drawbacks:
- Storing of multivalued complex attributes becomes difficult.
E.g. the SCIM phone number type has 4 attributes „value“, „display“, „type“
and „primary“ and each user may have many phone number objects.
- Searching for users by attributes becomes difficult und maybe
has a bad performance because of the SQL.
Do you still think that’s the preferred way to go?
Best regards,
Sebastian
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 3. September 2018 12:21
*An:* Lösch, Sebastian <Sebastian.Loesch(a)governikus.de>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] SCIM v2 support
Adding additional attributes to user entity is probably not the way to go.
Rather, it would be better for backwards compatibility to simply use
generic key/value attributes which the user entity already has.
Implementing the SCIM endpoints is probably pretty straightforward. Most
of the work will probably be down to testing and documentation.
On Wed, 29 Aug 2018 at 13:28, Lösch, Sebastian <
Sebastian.Loesch(a)governikus.de> wrote:
Hello,
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
https://issues.jboss.org/browse/KEYCLOAK-2537
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
Email
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
/users
- extend views to be able to edit SCIM user attributes using the
web ui
- …
- All the above again for the Groups endpoint…
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Best regards,
Sebastian
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2305
days inactive
2311
days old
4 comments
3 participants
participants (3)
-
Lösch, Sebastian -
Stian Thorgersen -
Thomas Darimont