| *** mhen_ is now known as mhen | 01:15 | |
| IvanVnuko[m] | Hi all, what is the unique_id in federated property (https://docs.openstack.org/api-ref/identity/v3/#create-user) of a local user good for? I want to create local keystone users which can be authenticated using external IdP. Can the unique_id be somehow used in the mapping? I would like to use other mapping property then just name of the local user. | 04:46 |
|---|---|---|
| gtema | Ivan Vnučko: it can be only used for federated users and represent the user id in the federated IdP. It is obtained from claim and not through the mapping, while the mapping can specify the claim name from where it gets extracted | 05:16 |
| IvanVnuko[m] | gtema: Thank you. I should clarify my goal: I have user identities in Keycloak. I want to pre-create local users in Keystone with roles, which can be authenticated using Keycloak. For the purpose of creating the user in Keystone I need to provide some reference in the mapping by which Keystone maps the claim to local user. Are there any other options then the local user name? I thought that unique_id could be used... | 07:38 |
| gtema | you need to fully populate the federated object with the idp_id, protocol_id and unique_id | 07:39 |
| gtema | this is a must and definitely works | 07:39 |
| IvanVnuko[m] | That I did. I use keycloak uuid of the user as the unique_id in keystone. But how to write the mapping? I can use the OIDC-sub for remote but didn't find info how to write the local object in the mapping so that the unique_id is used | 07:43 |
| gtema | https://gtema.github.io/posts/keystone-keycloak/part1/#mappingjson can serve you as an example | 07:43 |
| IvanVnuko[m] | Thank you, that is a good example, but can that be used for "type": "local" ? | 07:46 |
| gtema | that's possible, but is not guaranteed to be error prone. There is a different possibility to use keycloak as a direct domain backend (https://github.com/vexxhost/keystone-keycloak-backend) - then users are local and do not need to be synchronized at all, but you still need to setup mapping | 07:48 |
| gtema | both approaches are having major pros and cons | 07:49 |
| IvanVnuko[m] | I want to pre-create local keystone users with all roles and "stuff" and use keycloak strictly as IdP. The user is created in keycloak primarily. So when after that I'm creating the local user in keystone, for the mapping of the claim coming from keycloak I need a reference which would relate the claim (authenticated keycloak user) to the local keystone user. In your example the sub (keycloak uuid) is "mapped" to the "id" | 08:02 |
| IvanVnuko[m] | property of keystone user. I see that it works for ephemeral, as its "id" can be the unique_id provided in federated property. But the "id" of the local user I have no control of, I suppose I cannot create local user in keystone with explicit "id". | 08:02 |
| gtema | no, you can't influence the user.id directly | 08:26 |
| IvanVnuko[m] | Thank you gtema , it seems that for my use case my only option is to create keystone users with "name" containing some unique id from keycloak (uuid probably) and use the "name" for mapping. | 08:35 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!