2:40 p.m.
Hello,
I need to write a plug-in to write to a freeIPA server when logging in through Keycloak. I
was looking through the SSSD code on the Keycloak Github to try and find a place where I
could place a plug-in. Although, I am not quite sure where to begin or how to implement
it. It would be great if you could point me in the right direction and give me a couple of
tips to help me begin this process. The goal of the whole effort is to do automatic
provisioning of the users into IPA when Keycloak is used for federation
My current environment:
Keycloak-A connected to IPA-A with an Apache App connected to the keycloak server and
Keycloak-B connected to IPA-B. I have the Keycloak-A connected to Keycloak-B and I want to
write a user from IPA-B to IPA-A when I try to log into my app with a user from IPA-B.
Where I have already looked:
https://github.com/keycloak/keycloak/pull/3761/files
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main...
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main...
Any help would be gratefully appreciated
Thank you,
Matthew Beliveau
3:42 p.m.
Hi Matthew,
The SSSD federation provider on Keycloak is read-only, this is because
the SSSD D-Bus interface is read-only. In order to do the automatic
provisioning of users from Keycloak to IPA I see two alternatives:
1. Provide a writeable SSSD interface
2. Provide RESTful endpoints on IPA server for it
I'd guess that the option 2 would be the easiest path to pursue, but
honestly, I have no clue if there are endpoints for it. I would suggest
to first check if there's any way to provision users on IPA server
through RESTful endpoints, later take a look at our documentation
about how to implement a custom provider[1]. We also have some examples
here[2].
Does it help?
[1] -
http://www.keycloak.org/docs/latest/server_development/index.html#provide...
[2] -
https://github.com/keycloak/keycloak/tree/master/examples/providers/user-...
On 2018-04-04, Matthew Beliveau wrote:
Hello,
I need to write a plug-in to write to a freeIPA server when logging in through Keycloak.
I was looking through the SSSD code on the Keycloak Github to try and find a place where I
could place a plug-in. Although, I am not quite sure where to begin or how to implement
it. It would be great if you could point me in the right direction and give me a couple of
tips to help me begin this process. The goal of the whole effort is to do automatic
provisioning of the users into IPA when Keycloak is used for federation
My current environment:
Keycloak-A connected to IPA-A with an Apache App connected to the keycloak server and
Keycloak-B connected to IPA-B. I have the Keycloak-A connected to Keycloak-B and I want to
write a user from IPA-B to IPA-A when I try to log into my app with a user from IPA-B.
Where I have already looked:
https://github.com/keycloak/keycloak/pull/3761/files
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main...
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main...
Any help would be gratefully appreciated
Thank you,
Matthew Beliveau
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
2791
days inactive
2791
days old
1 comments
2 participants
participants (2)
-
Bruno Oliveira -
Matthew Beliveau