GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Captain-P-Goldfish → scim-for-keycloak

Captain-P-Goldfish / scim-for-keycloak

Licence: BSD-3-Clause license
a third party module that extends keycloak by SCIM functionality

Programming Languages

java
68154 projects - #9 most used programming language
HTML
75241 projects
javascript
184084 projects - #8 most used programming language

Labels

keycloakscim

Projects that are alternatives of or similar to scim-for-keycloak

react-keycloak-examples
Examples for react-keycloak packages
Stars: ✭ 110 (-13.39%)
Mutual labels:  keycloak
Keycloak.Net
C# client for Keycloak 6.x
Stars: ✭ 100 (-21.26%)
Mutual labels:  keycloak
scim
Golang Implementation of the SCIM v2 Specification
Stars: ✭ 108 (-14.96%)
Mutual labels:  scim
brauzie
Awesome CLI for fetching JWT tokens for OAuth2.0 clients
Stars: ✭ 14 (-88.98%)
Mutual labels:  keycloak
keycloak-mail-whitelisting
Keycloak extension to whitelist email adresses domain when users register
Stars: ✭ 36 (-71.65%)
Mutual labels:  keycloak
keycloak-restrict-client-auth
A Keycloak authenticator to restrict authorization on clients
Stars: ✭ 34 (-73.23%)
Mutual labels:  keycloak
epiphany
Cloud and on-premises automation for Kubernetes centered industrial grade solutions.
Stars: ✭ 114 (-10.24%)
Mutual labels:  keycloak
spring-boot-web-application-sample
Real World Spring Boot Web Application Example with tons of ready to use features
Stars: ✭ 143 (+12.6%)
Mutual labels:  keycloak
keycloak-mysql-user-federation
Keycloak user federation extension to connect to a MySQL database containing users
Stars: ✭ 17 (-86.61%)
Mutual labels:  keycloak
Supertokens Core
Open source alternative to Auth0 / Firebase Auth / AWS Cognito
Stars: ✭ 2,907 (+2188.98%)
Mutual labels:  keycloak
keycloak-docker
Docker image for Keycloak 6.0.1 (postgres, ssl) + k8s + Openshift
Stars: ✭ 19 (-85.04%)
Mutual labels:  keycloak
ProxyInjector
A Kubernetes controller to inject an authentication proxy container to relevant pods - [✩Star] if you're using it!
Stars: ✭ 77 (-39.37%)
Mutual labels:  keycloak
springboot-keycloak-mongodb-testcontainers
Goals: 1) Create a Spring Boot application that manages books; 2) Use Keycloak as authentication and authorization server; 3) Test using Testcontainers; 4) Explore the utilities and annotations that Spring Boot provides when testing applications.
Stars: ✭ 18 (-85.83%)
Mutual labels:  keycloak
keyonic-v2
A Keycloak Mobile Implementation using Angular v4 and Ionic v3
Stars: ✭ 23 (-81.89%)
Mutual labels:  keycloak
vagrant-codes-in-practice
Vagrant code files similar to the real bare metal environments
Stars: ✭ 22 (-82.68%)
Mutual labels:  keycloak
keycloak-sms-authenticator-sns
SMS 2 Factor Authentication for Keycloak via AWS SNS
Stars: ✭ 66 (-48.03%)
Mutual labels:  keycloak
keycloak-sso
custom account management template, keycloak authentication and authorization
Stars: ✭ 41 (-67.72%)
Mutual labels:  keycloak
go-uaa
UAA API Client Library
Stars: ✭ 14 (-88.98%)
Mutual labels:  scim
spring-boot-keycloak-angular
Securing a Angular frontend and a Spring Boot backend with Keycloak and Spring Security
Stars: ✭ 40 (-68.5%)
Mutual labels:  keycloak
Keycloak
Open Source Identity and Access Management For Modern Applications and Services
Stars: ✭ 10,826 (+8424.41%)
Mutual labels:  keycloak
View All Similar Projects ➔
Branch Circle CI Status
master build deactivated due to build problem on circle-ci. But the current version is still stable

Donations

If you like this work and want to support me you'll be able to treat me to a cup of coffee :-)

Donate

What is SCIM-for-keycloak?

It is a full SCIM implementation that is easily integrated into keycloak and is also easily configurable within the web admin console.

It grants you interoperable User, Group and Role provisioning by using a defined standard for resource managing:

See:

An example is user and group synchronizing with Microsoft Azure AD. A manual that describes how to do this can be found in the wiki:

Use with Microsoft Azure AD Thanks to Raffael Grob for providing this manual.

Keycloak support matrix

version supported scim-for-keycloak version SCIM-SDK Version
lower -
9.0.x You may find an older working version at https://github.com/Captain-P-Goldfish/SCIM-SDK
10.0.x You may find an older working version at https://github.com/Captain-P-Goldfish/SCIM-SDK
11.0.x ✔️ kc-11-b1 1.8.3
12.0.x ✔️ kc-12-b1 1.8.3
12.0.x ✔️ kc-12-b2 1.9.2
13.0.0 ✔️ kc-13-b1 1.9.2
13.0.1 ✔️ kc-13-b2 1.11.0
13.0.1 ✔️ kc-13-b3 1.11.0
13.0.1 ✔️ kc-13-b4 1.11.0
14.0.0 ✔️ kc-14-b1 1.11.0
14.0.0 ✔️ kc-14-b2 1.11.0
14.0.x ✔️ kc-14-b3 1.11.0
15.0.x ✔️ kc-15-b1 1.12.0
15.0.x ✔️ kc-15-b2 1.12.1
15.0.x ✔️ kc-15-b3 1.12.1
16.0.x kc-16-b1 (BROKEN -(due to missing theme files) 1.12.3
16.0.x ✔️ kc-16-b2 1.12.3
16.1.x kc-16-b3 (BROKEN - due to liquibase problem) 1.12.4
16.1.x ✔️ kc-16-b4 1.12.4
17.0.x
18.0.x ✔️ kc-18-b1 1.13.4
18.0.x / 19.0.x ✔️ kc-18-b2 1.13.4

Versioning

This project will use the following versioning pattern

kc-${keycloak.version}-b${project.incremental.version}

Releases

Starting with version kc-16-b1 I will upload the built artifacts to github into the release section. Any previous versions must still be build manually as described below.

Release Notes

To see the current release-notes take a look into the release section: https://github.com/Captain-P-Goldfish/scim-for-keycloak/releases

How to build

You need a git, JDK and maven installation on your computer. A manual in how to prepare java and maven for non-java-developers can be found in the wiki: https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Manual:-building-scim-for-keycloak-with-java-and-maven

Checkout the git tag that you want to build:

  1. list all available tags: git tag -l *
  2. checkout the tag you want to build git checkout tags/${tag-name}
  3. build with maven
    • cd ${SCIM_FOR_KEYCLOAK_HOME}
    • mvn clean package -DskipTests
  4. find the scim-for-keycloak artifact in: scim-for-keycloak/scim-for-keycloak-server/target/scim-for-keycloak-kc-${keycloak.version}-b${project.incremental.version}.jar

Deploy into keycloak server

Add the artifact to the keycloak providers directory ${keycloak.home}/providers and execute in ${keycloak.home}/bin the command kc.sh build to install the provider

Security Considerations

If you open up the SCIM endpoints to a specific realm make sure you setup access rights properly because access is by default granted to all clients and to all users. This is of course a problematic behaviour in a real world scenario, so you should restrict the access to specific clients and to users with specific roles as described in chapter What is configurable?

How to configure the SCIM endpoints

  1. Deploy the scim-for-keycloak.jar file into your server. If the server is currently running you need to restart it!
  2. Now open the web admin console of keycloak open the realm settings and select the Themes tab and select the scim theme for the admin console. Now reload the browser page and the SCIM menu link should be visible. theme-settings
  3. The SCIM endpoints will be deactivated by default. To activate it for a realm toggle the "SCIM enabled" switch under the SCIM menu link.

Disabled by default

Earlier versions of scim-for-keycloak (kc-13-b2 and before and kc-14-b1) did enable the SCIM endpoints by default. The newer versions will have them disabled by default.

What is configurable?

  1. Select the SCIM link and you should see the following view:
    theme-settings
  2. You can enable SCIM for each realm separately and the ServiceProvider configurations as defined in RFC7643
  3. You may restrict access to the SCIM-endpoints for each separate realm by allowing users only access if they have been identified by a specific client. If no clients are selected any client is authorized to access the SCIM endpoints
    theme-settings
  4. You get an overview for all registered ResourceTypes and may configure them separately.
    theme-settings
    You may have noticed that a 3rd ResourceType with name RealmRole is present that is not defined by RFC7643. This ResourceType is a custom endpoint that acts as showcase to demonstrate how easy it is to extend the API with new endpoints. This endpoint provides support for adding new RealmRoles and associate them with either Groups or Users.
  5. Each endpoint provides several settings that can be configured:
    theme-settings
    You'll be able to change the description of an endpoint, disable a specific ResourceType or just prevent that new resources are created, deleted, updated or read.
  6. You can turn off the requirement for authentication on each ResourceType but not for specific ResourceType-endpoints.
  7. You'll be able to set required roles for each ResourceType and each ResourceType-endpoint [create, get , list, update, delete] . If no roles are applied to an endpoint the API will assume the authorization to be disabled. theme-settings
    The role settings are of course only respected if authentication is enabled.

Admin-Events (kc-13-b3, kc-14-b2+)

If admin events are enabled the SCIM endpoint implementations will fire admin events of the following types:

  • User [CREATE, UPDATE, DELETE]
  • Group [CREATE, UPDATE, DELETE]
    • User GroupMembership [CREATE, DELETE]
    • Group GroupMembership [CREATE, DELETE]
  • RealmRole [CREATE, UPDATE, DELETE]

Any event that triggers a GroupMembership change will also cause either a Group_Create event or a Group_Update event depending on the fact if the resource is getting created or updated.

Disadvantages

  1. I didn't find a really good way in storing multi-valued-complex structures in the user-attributes table so I stored such data structures in pure json in this table. Please note that the values in the screenshot are simply auto-generated test-values. theme-settings
  2. User loading and filtering is not implemented on database level meaning that a "list-Users"-request will currently retrieve all Users of the used realm from the database. Filtering, sorting and limiting of the returned entries will be done on API level by the SCIM-SDK. (personal tests have shown that this is still pretty fast with at least 5000 Users. I never tried more)

Grant management-access for configuration

In some cases you might want to have several administration users that will only be able to configure the SCIM environment of a single realm. In such a case the user must have specific roles that will grant access to configure the SCIM environment. If the user does not have the corresponding role the "SCIM"-menu entry will not be visible to this user.

NOTE: Do not get confused with the roles here. These roles are only for accessing the management in the keycloak web admin console. These roles have nothing to do with accessing the SCIM-endpoints.

Two different roles are required to access the "SCIM"-menu.

  1. view-realm (allows the user to see the "SCIM"-menu item on the left)
  2. scim-admin (allows the user to modify the SCIM configuration)

The "scim-admin" role exists several times for several clients.

  1. For each realm that is created a new "master-client" for this realm is added to the "master" realm. Each of these clients will get the "scim-admin" role that is needed for users from the "master" realm to access the "SCIM"-menu. So if you create a realm with name "test" you will be able to find a client with name "test-realm" within the clients section of the "master" realm. The "scim-admin" role of this client is needed to modify the data of the SCIM environment in the "test" realm for users of realm "master".

  2. If a new realm "test" is created you should be able to find a client in the clients section of realm "test" with name "realm-management". This client should have the client-role "scim-admin". Grant this role to users of realm "test" to grant access to the SCIM configuration for this realm.

  3. The last case is the SCIM configuration for realm "master". This works analogous to 2. But for realm "master" the name of the "master-client" is "master-realm" instead of "realm-management".

So in total we got 2 different cases:

  1. users of realm "master" are able to get access to SCIM configurations of several realms.
  2. users of other realms can only access the SCIM configuration of their own realm.

theme-settings
theme-settings
theme-settings

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].