[keycloak-user] Federation of Roles, Groups and Realms

Simon Levermann simon at slevermann.de
Tue Aug 13 16:29:15 EDT 2019


Hi,

thanks for the input! This should suit our needs well enough to map our
license data into keycloak. One minor question though (if it is too far
off-topic for this thread we can move the topic):

with our current implementation
(https://gist.github.com/sonOfRa/f0d3b8baba2ac5c62ea7d5eb5bfcd33d) of
the provider (essentially a slightly adjusted copy of the example in the
keycloak-quickstart repository), *searching* for users already works.
However, the "view all users" button in the users tab shows that no
users are available. I would have expected that the getUsers function
would be called in order to populate the data here, but firing up a
debugger suggests that those methods don't even get called. Is this
expected behaviour because federated users are simply not shown in the 
"All users" functionality, or is there some other interface I'd have to
implement on the provider in order to have that tab populated?

Cheers,

Simon

On 07.08.19 15:14, Pedro Igor Silva wrote:
> Hi,
>
> Providers are configured per-realm. For roles and groups, you could
> have a look at (if not
> already) https://www.keycloak.org/docs/6.0/server_development/#augmenting-external-storage. 
>
> You could return an AbstractUserAdapterFederatedStorage from your
> provider and override some methods so that roles and group information
> is fetched from your database.
>
> Regards.
> Pedro Igor
>
> On Tue, Aug 6, 2019 at 1:09 PM Simon Levermann <simon at slevermann.de
> <mailto:simon at slevermann.de>> wrote:
>
>     Hello,
>
>     we have a user database in form of a license server, which we
>     would like
>     to use as a source of data for a Keycloak server. I've been able
>     to find
>     plenty of resources on how to map the *users* into Keycloak via
>     SPI, but
>     I haven't been able to find much on Roles, Groups and Realms. Are any
>     (or all) of the three possible to achieve, or do we have to manage
>     these
>     manually?
>
>     The problem is that we would like to have some logical separation of
>     users into a realm (or a group) per customer, as well as mapping
>     roles
>     onto licenses for different products. Our current stab at a
>     solution is
>     an external synchronization service which periodically performs
>     updates
>     via the Keycloak Admin API, but if possible, we would like to get
>     rid of
>     this service and perform all the mappings inside Keycloak.
>
>     Best regards,
>
>     Simon Levermann
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list