search

mitodl / keycloak-scim

SCIM client plugin for Keycloak
Apache License 2.0
42 stars 6 forks source link

Keycloak automatic provisioning of users/groups (via SCIM) to AWS IAM Identity Center #73

Open jdhakar1995 opened 6 months ago

jdhakar1995 commented 6 months ago

Hi Team,

We are using keycloak 20.0.3 as the IDP with AWS IAM Identity Center(SSO). We are using SCIM protocol to sync users and groups from keycloak to AWS SSO. But this sync does not work automatically. We have to invoke scim endpoint periodically to do the sync.

Does this new keycloak SCIM plugin or any keycloak version supports automatic provisioning of Users and Groups to AWS SSO using SCIM?

Thanks, Jitendra

antonwolfconti commented 6 months ago

Any news here? I would also be interested.

jdhakar1995 commented 6 months ago

Expecting feedback from @blarghmatey and team

blarghmatey commented 6 months ago

I can't speak specifically to AWS, but the SCIM plugin does hook into the user federation functionality. That allows create and update events to be automatically propagated through SCIM from Keycloak.

temach commented 3 months ago

I tried this plugin with AWS and the setup works partially. Looks like there is a problem on AWS side.

Users and Groups are propagated from keycloak to AWS Identity Center successfully (very nice!!). But when plugin tries to propagate group memberships to AWS, the AWS responds with 404.

I used plugin from commit https://github.com/mitodl/keycloak-scim/commit/b94770425a4a4778df1021dc0992c29c1d45a217 released on 17th August 2024 and I was using keycloak version 23.0.6

Full log of creating a group, a user and adding user to group is attached.

To highlight the problematic part, here is log from keycloak, specifically the plugin sends group membership correctly:

keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "PUT /ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZ/scim/v2Groups/1448c488-a091-7079-c477-93f066c11843 HTTP/1.1[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Authorization: Bearer ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ==[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Content-Type: application/scim+json[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Content-Length: 293[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Host: scim.us-east-1.amazonaws.com[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Connection: Keep-Alive[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.10)[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Accept-Encoding: gzip,deflate[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"1448c488-a091-7079-c477-93f066c11843","externalId":"16d3b5c1-6e7b-46c1-a4af-50de027c850a","displayName":"testgrp2","members":[{"value":"44a8b488-b001-70a1-d97e-a29b259662f2","$ref":"Users/44a8b488-b001-70a1-d97e-a29b259662f2"}]}"

But gets 404 response from AWS IAM Identity Center (the group and user were created there successfully) so group membership change fails:

keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "HTTP/1.1 404 Not Found[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Date: Tue, 20 Aug 2024 05:56:54 GMT[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Content-Length: 29[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Connection: keep-alive[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "<UnknownOperationException/>[\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << HTTP/1.1 404 Not Found
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Date: Tue, 20 Aug 2024 05:56:54 GMT
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Content-Length: 29
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Connection: keep-alive
keycloak_1  | 2024-08-20 05:56:54,183 DEBUG [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] (executor-thread-31) http-outgoing-11: Close connection
keycloak_1  | 2024-08-20 05:56:54,275 DEBUG [org.apache.http.impl.execchain.MainClientExec] (executor-thread-31) Connection discarded
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection released: [id: 11][route: {s}->https://scim.us-east-1.amazonaws.com:443][total available: 0; route allocated: 0 of 2; total allocated: 0 of 20]
keycloak_1  | 2024-08-20 05:56:54,276 WARN  [sh.libre.scim.core.ScimClient] (executor-thread-31) <UnknownOperationException/>
keycloak_1  |
keycloak_1  | 2024-08-20 05:56:54,276 WARN  [sh.libre.scim.core.ScimClient] (executor-thread-31) 404
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection manager is shutting down
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection manager shut down

Full log attached as file. full_drama_group_created_user_create_and_add_to_group_aws_accepts_group_and_user_but_404_to_group_memebership.txt