Closed pcolmer closed 3 years ago
pcolmer
commented
3 years ago I should add that AWS Single Sign-on also requires "inbound" support for automatic provisioning, so if there is a way of getting this to work with Keycloak, it would be very much appreciated!
Captain-P-Goldfish
commented
3 years ago I just recently had a discussion with another user who tried to link Azure AD with my SCIM extension. After overcoming some troubles we made it work and he provided a simple description how to do it:
https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD
Does this help? Otherwise I need more information.
pcolmer
commented
3 years ago I had read and following the linked document but quickly realised that the document takes you through steps that mirrors how Atlassian Access and AWS SSO work. In other words, the document gets you to the point where you have a SCIM URL and authentication token that you plug into Azure AD ... but there doesn't seem to be anywhere within Keycloak/SCIM to enter a SCIM URL/authentication token.
I may be wrong but I think https://tools.ietf.org/html/rfc7642#section-2.3.1 references the use case I'm after, where Keycloak/SCIM is CSP-1 and Atlassian Access or AWS SSO are CSP-2. So, a change occurs within Keycloak that shows a new user has been created and then something then triggers AA/AWS SSO to tell it that a new user has been created.
I think that this process is normally handled by a SCIM client but I'm not sure how such an application would be able to pick up on changes occuring within Keycloak in order to tell the next CSP.
Does that help/clarify?
Captain-P-Goldfish
commented
3 years ago scim-for-keycloak does only provide server side support not client side. From what I understand Atlassian is acting as a SCIM client representing CSP-1. So when a create-user-event in Atlassian is triggered it should send a push trigger to keycloak (CSP-2) creating the user also there. Is this what your are looking for?
Currently it is not possible to do it the other way around since I did not implement the client side in keycloak. Doing so should be possible though but I am afraid I cannot provide this any time soon since my resources are pretty much consumed.
pcolmer
commented
3 years ago From what I understand Atlassian is acting as a SCIM client representing CSP-1. So when a create-user-event in Atlassian is triggered it should send a push trigger to keycloak (CSP-2) creating the user also there. Is this what your are looking for?
No - the other way around. A "create-user-event" in Keycloak needs to trigger push events to CSP-2, be it Atlassian Access or AWS SSO or similar.
Currently it is not possible to do it the other way around since I did not implement the client side in keycloak.
I was coming to that conclusion. Thank you for confirming it.
Doing so should be possible though but I am afraid I cannot provide this any time soon since my resources are pretty much consumed.
I understand. Thank you for what you have done.
I'm trying to see if Keycloak plus your SCIM add-on can be used to provide user/group information to Atlassian Access.
Atlassian Access says that it works with SCIM providers but the documentation is only for a limited set of providers and, from what I can glean, it looks like all of those providers push to Atlassian Access, rather than AA syncing from Keycloak + SCIM.
https://confluence.atlassian.com/cloud/user-provisioning-959305316.html
Is that something I can achieve with the code you've written?
Thanks.