Keycloak datamodel
by Bill Burke
Keycloak is a SaaS in which people can register to create their own realms.
Default Realm:
User
Roles: REALM_CREATOR
Custom RealmAdminRelationship: Attribute: realmId, Attribute: User.
RealmId points to a realm a User has created
SSO Realms:
* A bunch of attributes for the Realm like private/public key stored in
an Agent
* Users
* Roles
* User/RoleMapping
* Custom RequiredCredentialRelationship. Defines the credential types
required by the realm.
* Custom ScopeRelationship. Scope is the same as role mapping, but this
defines an OAuth grant thing. It is the roles a user is allowed to
request permissions for. It is an Attribute of an Agent and a Role.
* Custom ResourceRelationship. A resource is an application that is
managed by the realm. This has Attribute Agent pointing to the Agent of
the realm, various attributes of the resource, and also a String value
pointing to the Tier. I couldn't figure out how to have a hard
relationship to a Tier
Resource (maps to Tier)
* Roles
* User/RoleMapping
* ScopeRelationship
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 4 months
IDM and vault are the same thing
by David M. Lloyd
Consider:
IDM:
* associates identities with credentials
* provides ability to retrieve credentials or verify against credentials
Vault:
* associates identities with credentials
* provides ability to retrieve credentials or verify using credentials
So, they're basically the same thing, except vaults are kind of a crappy
hack. Instead of using a sys prop kludge for vaulted passwords, we
should have an explicit reference to an identity store plus an identity,
and simply not have a field for passwords in the config, period.
Discuss
--
- DML
11 years, 4 months
Federated JDO more than an IDM API?
by Bill Burke
Isn't the IDM API turning more into a Federated JDO project than an
actual IDM API? I"ve found at least one JPA/JDO implementation that
supports an LDAP store, but haven't found one yet that does federation.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 4 months
Re: [security-dev] CustomPartition tests off?
by Bill Burke
How do I get the test to work? I need to extend PartitionTypeEntity and
add an @Entity and @IdentityManaged(CustomerPartition.class)? Or is
there another way?
On 7/29/2013 4:26 PM, Pedro Igor Silva wrote:
> Btw, I have a version of this test running. If you like I can push and you can take a look.
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: security-dev(a)lists.jboss.org
> Sent: Monday, July 29, 2013 5:23:20 PM
> Subject: Re: [security-dev] CustomPartition tests off?
>
> Hi Bill,
>
> It is ignored because I'm working with another tests, not only for partitions but for custom identity and attributed types too. But it should work if you're creating your own partition type.
>
> The testing is failing because we need a specific mapping for the custom type, what I`m working now.
>
> Thanks.
> Pedro Igor
>
> ----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Monday, July 29, 2013 3:31:23 PM
> Subject: Re: [security-dev] CustomPartition tests off?
>
> Particularly updating an attribute fails.
>
> On 7/29/2013 2:26 PM, Bill Burke wrote:
>> Does custom partition JPA work? The CustomPartitionTestCase is @Ignore.
>> Also, the testAttributes() test seems to fail when I run with my IDE.
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 4 months
IDM tests fail miserably
by Bill Burke
I can run them each individually, but if I run together I'm getting like
97 failures. I'm on Windows 7. I'm guessing somethinng is not getting
clean up in-between test runs.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 4 months
[PicketLink] - Version 2.5.0.Beta6 Released (Codename Bill)
by Pedro Igor Silva
Hi,
It has being a while since our last release. The reason is we had some deep changes to the IDM API after some important feedback, in special from Bill Burke.
We can summarize all changes as follows:
- Runtime partitions support (as proposed from Bill and considering his PR);
- Custom types (AttributedType, IdentityType and Partition) support;
- New annotations that can be used with your custom types. Eg.: @IdentityPartition, which allows you to configure which types can be stored for a specific partition type.
- Partitions are now supporting custom attributes;
- More flexible and comprehensible mapping of JPA entities when using the JPA-store;
- Decoupling of the built-in types (such as User, Role, Group, Grant, etc) from the API. Now they are fully optional and not required to get your use case working;
- Improvements to the configuration of the JPA and LDAP stores.
The main objective of this release is to give you a chance to take a look at all those changes, which is a result from the last discussions we had around the IDM API requirements and use cases. We're still working on some other important aspects, but they are not a blocking to start using this new version.
The most visible change for who is already using the IDM is that all getAgent, getUser, getRole, grantRole, etc, methods were removed from the IdentityManager interface and moved to the org.picketlink.idm.model.sample.SampleModel class. We have also introduced a specific interface for relationship management, the org.picketlink.idm.RelationshipManager.
Documentation is being updated, it will be published very soon. Also, the JDF quickstarts are updated to reflect this new version.
Issues for this version:
https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12310923&versi...
Thanks.
Pedro Igor
11 years, 5 months
lookupIdentityById requires preconfigured Tiers
by Bill Burke
A problem I just ran into with my dynamic tier creation/deletion is that
DefaultIdnetityManager.lookupIdentityById() requires that tiers be
preconfigured and listed in the store's config. So, if you're doing a
realm.grantRole() for a dynamically created Tier-based Role, it won't
work :(
I'm working on a fix now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 5 months