[keycloak-dev] SCIM v2 support

Stian Thorgersen sthorger at redhat.com
Tue Sep 4 06:15:06 EDT 2018 

It's not ideal, but adding columns for every additional attribute is also
far from ideal. Then there's the issue with backwards compatibility with
regards to user storage providers as that is a supported SPI and the API
needs to remain backwards compatible.

An complicating factor for SCIM will be user storage providers. Attributes,
queries, etc. should all work when there are user storage providers in the
realm. These could be LDAP or a custom implementation.

Queries on attributes shouldn't be to bad as long as the query is written
properly.

On Tue, 4 Sep 2018 at 08:41, Lösch, Sebastian <
Sebastian.Loesch at governikus.de> wrote:

> Hello Stian,
>
>
>
> thank you for your input. Storing additional SCIM attributes as key/value
> pairs in the USER_ATTRIBUTE table has two drawbacks:
>
> -          Storing of multivalued complex attributes becomes difficult.
> E.g. the SCIM phone number type has 4 attributes „value“, „display“, „type“
> and „primary“ and each user may have many phone number objects.
>
> -          Searching for users by attributes becomes difficult und maybe
> has a bad performance because of the SQL.
>
> Do you still think that’s the preferred way to go?
>
>
>
> Best regards,
>
> Sebastian
>
>
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Montag, 3. September 2018 12:21
> *An:* Lösch, Sebastian <Sebastian.Loesch at governikus.de>
> *Cc:* keycloak-dev <keycloak-dev at lists.jboss.org>
> *Betreff:* Re: [keycloak-dev] SCIM v2 support
>
>
>
> Adding additional attributes to user entity is probably not the way to go.
> Rather, it would be better for backwards compatibility to simply use
> generic key/value attributes which the user entity already has.
>
>
>
> Implementing the SCIM endpoints is probably pretty straightforward. Most
> of the work will probably be down to testing and documentation.
>
> On Wed, 29 Aug 2018 at 13:28, Lösch, Sebastian <
> Sebastian.Loesch at governikus.de> wrote:
>
> Hello,
>
>
>
> in a customer project we use keycloak and need a SCIM (System for
> Cross-domain Identity Management) API.
>
> Currently we write a wrapper API and a custom endpoint providing the SCIM
> functionality. We wrote a extension of the UserEntity, UserModel and an
> extension of the JpaUserProvider.
>
> This strategy seems not ideal and the nicest way is to add this extensions
> to Keycloak. This is already suggested in
> https://issues.jboss.org/browse/KEYCLOAK-2537
>
> Is anybody out there who can guide me, what coding would be necessary to
> contribute the SCIM functionality?
>
>
>
> Currently I think we have to:
>
> -          extend the UserEntity with all SCIM attributes. This will result
> in additional tables/entities for complex attributes e.g. Address, Name,
> Email
>
> -          extend the UserModel to povide the additional attributes
>
> -          implement the new SCIM endpoint /Users
>
> -          make the additional attributes available via Admin REST API
> /users
>
> -          extend views to be able to edit SCIM user attributes using the
> web ui
>
> -          …
>
> -          All the above again for the Groups endpoint…
>
>
>
> This also seem to be major changes. To big for one Pull Request. How do you
> like to handle this?
>
>
>
> Best regards,
>
> Sebastian
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list