Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak automatic provisioning of users/groups (via SCIM) to AWS IAM Identity Center #73

Open
jdhakar1995 opened this issue May 10, 2024 · 4 comments
Open

Keycloak automatic provisioning of users/groups (via SCIM) to AWS IAM Identity Center #73

jdhakar1995 opened this issue May 10, 2024 · 4 comments

Comments

@jdhakar1995
Copy link

Hi Team,

We are using keycloak 20.0.3 as the IDP with AWS IAM Identity Center(SSO). We are using SCIM protocol to sync users and groups from keycloak to AWS SSO. But this sync does not work automatically. We have to invoke scim endpoint periodically to do the sync.

Does this new keycloak SCIM plugin or any keycloak version supports automatic provisioning of Users and Groups to AWS SSO using SCIM?

Thanks,
Jitendra
@antonwolfconti
Copy link

Any news here? I would also be interested.

@jdhakar1995
Copy link
Author

jdhakar1995 commented May 23, 2024
edited
Loading

Expecting feedback from @blarghmatey and team

@blarghmatey
Copy link
Member

I can't speak specifically to AWS, but the SCIM plugin does hook into the user federation functionality. That allows create and update events to be automatically propagated through SCIM from Keycloak.

@temach
Copy link

temach commented Aug 20, 2024
edited
Loading

I tried this plugin with AWS and the setup works partially. Looks like there is a problem on AWS side.

Users and Groups are propagated from keycloak to AWS Identity Center successfully (very nice!!). But when plugin tries to propagate group memberships to AWS, the AWS responds with 404.

I used plugin from commit b947704 released on 17th August 2024 and I was using keycloak version 23.0.6

Full log of creating a group, a user and adding user to group is attached.

To highlight the problematic part, here is log from keycloak, specifically the plugin sends group membership correctly:

keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "PUT /ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZ/scim/v2Groups/1448c488-a091-7079-c477-93f066c11843 HTTP/1.1[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Authorization: Bearer ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ==[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Content-Type: application/scim+json[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Content-Length: 293[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Host: scim.us-east-1.amazonaws.com[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,084 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Connection: Keep-Alive[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.10)[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "Accept-Encoding: gzip,deflate[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,085 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 >> "{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"1448c488-a091-7079-c477-93f066c11843","externalId":"16d3b5c1-6e7b-46c1-a4af-50de027c850a","displayName":"testgrp2","members":[{"value":"44a8b488-b001-70a1-d97e-a29b259662f2","$ref":"Users/44a8b488-b001-70a1-d97e-a29b259662f2"}]}"

But gets 404 response from AWS IAM Identity Center (the group and user were created there successfully) so group membership change fails:

keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "HTTP/1.1 404 Not Found[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Date: Tue, 20 Aug 2024 05:56:54 GMT[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Content-Length: 29[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "Connection: keep-alive[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "[\r][\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.wire] (executor-thread-31) http-outgoing-11 << "<UnknownOperationException/>[\n]"
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << HTTP/1.1 404 Not Found
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Date: Tue, 20 Aug 2024 05:56:54 GMT
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Content-Length: 29
keycloak_1  | 2024-08-20 05:56:54,178 DEBUG [org.apache.http.headers] (executor-thread-31) http-outgoing-11 << Connection: keep-alive
keycloak_1  | 2024-08-20 05:56:54,183 DEBUG [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] (executor-thread-31) http-outgoing-11: Close connection
keycloak_1  | 2024-08-20 05:56:54,275 DEBUG [org.apache.http.impl.execchain.MainClientExec] (executor-thread-31) Connection discarded
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection released: [id: 11][route: {s}->https://scim.us-east-1.amazonaws.com:443][total available: 0; route allocated: 0 of 2; total allocated: 0 of 20]
keycloak_1  | 2024-08-20 05:56:54,276 WARN  [sh.libre.scim.core.ScimClient] (executor-thread-31) <UnknownOperationException/>
keycloak_1  |
keycloak_1  | 2024-08-20 05:56:54,276 WARN  [sh.libre.scim.core.ScimClient] (executor-thread-31) 404
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection manager is shutting down
keycloak_1  | 2024-08-20 05:56:54,276 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (executor-thread-31) Connection manager shut down

Full log attached as file.
full_drama_group_created_user_create_and_add_to_group_aws_accepts_group_and_user_but_404_to_group_memebership.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blarghmatey @temach @jdhakar1995 @antonwolfconti