Comments (12)
Hi first of all: Thanks I never considered json-configuration but in a production state most seem to use environment variables because it is easier with docker.
But if I look at your problems there are a few things that cross my mind here:
- are you trying to include the plugin into some unit tests of another custom provider?
- What jumps into my eye is the usage of h2-database that should only be used for testing.
- Oracle support
MODE=Oracle
will definetly fail since I just added support for Oracle database yesterday with the versions kc-23-1.4.0-enterprise and kc-22-1.4.0. Not available for keycloak 21.
- And the errors you are describing here remind me of writing my own unit tests because I too had to overcome these to make my unit-tests work.
This issue does not seem to be related to install the plugin into keycloak and make it run.
from scim-for-keycloak.
I'm actually doing embedded keycloak in our app derived from https://www.baeldung.com/keycloak-embedded-in-spring-boot-app. Everything works as is but not this usecase which we were hoping for as one of our customers requires us to talk SCIM instead of LDAP. I have to also stay on that older version because we can't currently upgrade the version of jetty deployed in our app without a massive pain and later versions of keycloak require a jetty upgrade.
from scim-for-keycloak.
the embedded keycloak solution is pretty custom and out of scope for support. Since I have never tried this myself I cannot tell you which steps you need to do. The plugin works when directly installed into keycloak but I don't know what is necessary to get it running in your specific case.
Another problem you will get is that the liquibase script will cause problems with oracle-database. There will also be some issues with timestamps and a clob-type column in the schemaAttributes table. The 21 version will cause you some trouble as it does not seem to fit into you current scenario.
from scim-for-keycloak.
from scim-for-keycloak.
I just added an exception release: kc-21-1.2.1-oracle
This is all I can offer so far. I am not extending the keycloak 21 version anymore. The merge-conflicts I am getting from 21 to 22 are too much work. And therefore I will not support this version any longer except in case of urgent security issues.
from scim-for-keycloak.
I've got great news and bad news.. That worked great!!! Got no errors and I can get into the SCIM management interface.
Now the bad news is that I guess I misunderstood the difference between the client and server. It seems what I just did was allow the creation of SCIM endpoints in keycloak. i.e: now if someone wants to write an scim client to manipulate keycloak users they can do that instead of using the keycloak api (which is what I'm using in our application).
Unfortunately what I actually need (I think) is for keycloak to have an SCIM client to do user federation in a similar way to the ldap provider user federation. Is this the client that you are working on?
I actually don't need any of the SCIM CRUD functionality in this client since, like ldap user federation, it would be read only from my application because the client is not going to want us messing with their users.
It seems that none of the development does the equivalent of user federation using SCIM unless I am mistaken.
from scim-for-keycloak.
Yes, the SCIM client functionality is still in development and not far from being finished. But this will not be available for keycloak 21. It will be released under version 2.0.0 for keycloak 22 and 23
from scim-for-keycloak.
from scim-for-keycloak.
from scim-for-keycloak.
First I need to get the SCIM client implementation finished. My plan is (I hope I can keep this) to provide a mostly working preview until the end of february. You should evaluate it then if it meets your requirements and maybe then we can talk about kc21 support.
Could you clarify how exactly you define the behaviour of identity federation in this case?
The SCIM Client implementation will normally do what is expected:
- A remote SCIM provider is configured and can be assigned to a specific realm.
- If a user or group is created the event is catched and a SCIM create-request is sent to the remote provider
- Same for delete requests
- The really tricky part is handling updates of resources. This has some weaknesses because it can easily clash with other custom-providers in keycloak. Also you are using a special customized implementation that pulls keycloak into a spring-boot application. I am not sure if this specific circumstance might disable the client-implementation. It was necessary to register an interceptor on the keycloaks jpa-unit in hibernate to get it to work. I have no idea what the consequences are when you are modifying the environment
from scim-for-keycloak.
So first of all I'm not using spring-boot. I used the technique to instead expose the resteasy stuff and corresponding keycloak app via regular spring mvc. I'm pretty sure I can register the interceptor as well since I have full control of the infrastructure except that of course I'm not allowed to change your code so we would have to see how the registration that you do fits in. I would think it would just work like all the rest of it but again we'll see. The server works with only a few tweaks to liquibase so it seems I'm not that much different to a regular install.
Secondly the use case you specified isn't the use case I'm after (I don't think).
What happens when you have LDAP user federation is following
- you can sync the users from the remote ldap into keycloak
- if someone logs in the user is pulled from remote ldap into keycloak along with the groups they are a part of
I just want the same things to happen instead via SCIM. So there is a remote source system containing users and groups and exposing the endpoints. So you can do 1) and 2). Essentially imagine the same ldap user federation source hidden behind SCIM endpoints.
from scim-for-keycloak.
Thanks for the clarification. I already assumed this would be the case. The first development state will not do what you want. But it should be relatively easy without much effort (at least that is what I am thinking at the moment) to extend its functionality to what you want. And from my point of view it is a really good way of using it. So I will add this feature as soon as the client-implementation is finished.
from scim-for-keycloak.
Related Issues (20)
- Seed initial configuration in keycloak HOT 4
- Scim plugin behind reverse proxy that strips a path prefix makes the scim console unaccessible HOT 4
- I don't see any source for some of the classes in enterprise source zip HOT 3
- I can't seem to get authentication for scim working HOT 2
- You may want to look at integrating this for the scim user federation part
- Issue with Use with Microsoft Azure AD wiki page HOT 2
- Parallel PATCH calls result in optimistic locking exception HOT 15
- Token Expiry Handling between OKTA and Keycloak HOT 4
- ResourceTypes and Realm Assignment Tabs are empty - Remote SCIM Provider Configuration HOT 9
- Azure-Patch Operation not working HOT 4
- scim-for-keycloak plugin free version HOT 4
- Group Leave SCIM Notification is not being Received at the Sample Spring Boot Project HOT 2
- Issue with UPDATE_PASSWORD action when using scim-for-keycloak HOT 4
- SCIM Client with Zscaler Internet Access - 404: No user with the id HOT 14
- Cannot uninstall SCIM Plugin on Keycloak 24.0.3 HOT 4
- SCIM and SSO Handling - Automatic Linking of User Created through SCIM and SSO HOT 2
- Group Membership Updates are not instantly pushed when the update is initiated from OKTA HOT 11
- Group Member Sync Failure HOT 2
- MS Entra (Azure) sends boolean values as a String with the capital first letter Issue HOT 4
- Endpoint Authentication Method Issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scim-for-keycloak.