Management of user IDs that are maintained by an LDAP-based user federation
Entries can be added to the Keycloak list of user records in three ways.
- For LDAP-based user federations, entries are added in either of the following ways:
- They are added when users are synchronized from within the user federation.
- They are added when a user tries to log in with a verified federation ID, and the corresponding federation has the Import Users field set to ON.
- For RACF®-based user federations, entries are added when a user tries to log in before the federation ID is verified.
Management of user IDs in Keycloak
- In the
IzoaKeycloak
security realm, under the Manage section, click Users.If no user federations are defined, all manually created user IDs are automatically shown.
- If one or more user federations are defined, enter a string in the search field.Important: This search looks for user IDs that contain the entered value. A general string can result in a long search time and the retrieval of a large number of matches.
When you enter a search string, Keycloak searches for the following types of user IDs, and it returns any IDs that match the string:
- User IDs that are defined by any LDAP user federations
- User IDs that are manually entered through the Keycloak administrator interface or API
- User IDs that are bulk loaded for RACF LDAP user federations
Tip: If a JSON error occurs during the search, ensure that any LDAP custom filters are formatted correctly and that no email addresses are defined in multiple user federation definitions. - To view information for a user record, click the Username link for the
record.
On the Details tab, a Federation link indicates the user federation with which this user is associated.
When user records are added, they are assigned any groups and roles that are mapped by the
associated user federation, and they are assigned to any default roles and default groups that are
defined in the IzoaKeycloak
security realm. By default, every newly created user ID
in the IzoaKeycloak
realm is assigned to the user
role and the
basic_user
group.
- Any user ID that is used to access the Problem Insights GUI or any of its associated services must be assigned a valid role.
- Group membership can be managed through the Group Membership tab in the user record.
- Role association can be managed through the Role mapping tab in the user record.
Bulk loading a list of IDs in Keycloak
If many user IDs must be defined to Keycloak, and no method exists for automatically loading them through a user federation definition (which is the situation with the racf provider), the user IDs can be loaded by using the seed-ldap command in the dockerManageZoa.sh script.
zoacommon
build:id access-group-name
./bin/dockerManageZoa.sh seed-ldap [force]
When the command runs, it prompts for the full path and name of the user ID list file. Keycloak checks each ID against the defined user federations (in processing order), with the following effect:
- If a federation returns a positive result, a user record is added to Keycloak, the federation is associated with that user record, and the remaining federations are skipped.
- Any groups and roles that are mapped by this federation are assigned to the user record.
- If all federations are processed, and no positive result is returned, an error message is shown, and the user ID is not added to Keycloak.
After the IDs are added to Keycloak, a Keycloak administrator can assign groups and roles to the users by clicking Users under the Manage section.
Because RACF-based user federations that use direct authentication do not access the user data store until a user attempts to log in, the this type of federation is temporarily disabled when loading IDs.
- During bulk loading of RACF user IDs, a positive result is returned for all user IDs that are defined in the ID list file.
- A temporary email address is associated with bulk-loaded RACF user IDs. If an email address field was specified in the RACF user federation, the real address is pulled from RACF the first time that the user ID successfully authenticates.