Provide ability to add users to keycloak and assign groups/roles prior to the user logging on
Closed this issue · 4 comments
Goal: Add New Hire and required groups/roles prior to their first login
Sample Scenario:
- User is newly hired and needs access to application X on openshift using IDIR/Keycloak
- Application X requires user to be setup with groups/roles first.
- As part of hiring process, we order IDIR via OCIO, receive IDIR ID and add to Keycloak and assign groups prior to new hire logging on.
- Send user the IDIR and tempory IDIR password and have them login into application successfully.
Solution:
Duplicated a copy of first broker login
Added Create User If Unique (BCGOV) and disabled existing "Create User If Unique", by adding execution
Chose "Create User if Unique (BCGOV)
Move up to appropriate place and disable (or delete) the existing "Create User If Unique"
Update IDIR IDP: First Login Flow with new first broker login.
** ensure the following is in the mappers, otherwise add:
Name: idir_guid
Mapper Type: Attribute Importer
Claim: idir_userid
User Attribute Name: idir_user_guid
When creating a new user in keycloak:
- User name should be in format: "@idir"
- Add user attribute: idir_user_guid with the value of the IDIR GUID.
To find the guid in powershell:
Get-ADUser -Identity <idirid>
To find the guid in linux, install ldap-utils and type:
ldapsearch -LLL -x -h idir.BCGOV -D "<your idir>" -W -b "OU=BCGOV,DC=idir,DC=BCGOV" '(&(objectCategory=person)(objectClass=user)(sAMAccountName=<idirid>))' bcgovGUID
Hey, you highlighted me. How can I help ?
closed and captured bcgov/sso-keycloak#68
ldapsearch -LLL -x -h idir.BCGOV -D "joedoe@idir" -W -b "OU=BCGOV,DC=idir,DC=BCGOV" '(&(objectCategory=person)(objectClass=user)(sAMAccountName=janedoe))' bcgovGUID