Example: Provision Keycloak users or groups with SCIM

更新时间:
复制 MD 格式

Use the System for Cross-domain Identity Management (SCIM) 2.0 protocol to provision users or groups from Keycloak to Cloud SSO.

Prerequisites

  • SCIM-based user provisioning is available for enterprise users who have enabled Cloud SSO.

Scenario overview

This scenario assumes your organization manages users with an on-premises directory service (based on the LDAP protocol) and has set up a multi-account structure in Alibaba Cloud Resource Directory (RD). The goal is to provision users from the on-premises directory to Cloud SSO so they can access specific resources in designated member accounts using single sign-on (SSO) through Keycloak.

To simplify setup, configure SSO first and then use the same application to provision users or groups with SCIM. For more information, see Example: Configure single sign-on between Keycloak and Cloud SSO.

Note

This example demonstrates the plugin's basic functionality, using its free license in a test environment. Alibaba Cloud does not endorse and cannot guarantee the stability of any third-party plugins or extensions.

Step 1: Create a SCIM secret in Cloud SSO

  1. Log on to the Cloud SSO console.

  2. In the left-side navigation pane, click Settings.

  3. On the User Provisioning tab, in the SCIM User Provisioning Configuration section, click Generate New SCIM Credential.

  4. In the SCIM Credential Generated Successfully dialog box, copy and save the SCIM secret, then click OK.

    After the secret is created, SCIM Provisioning is Enabled appears on the SCIM User Provisioning Configuration page. You can also view and copy the SCIM Service Provider Endpoint and manage your secrets — disable or delete existing secrets, or click Generate New SCIM Credential to create a new one.

Step 2: Enable SCIM provisioning in Cloud SSO

  1. Log on to the Cloud SSO console.

  2. In the left-side navigation pane, click Settings.

  3. On the User Provisioning tab, in the SCIM User Provisioning Configuration section, turn on the SCIM provisioning switch.

Step 3: Configure SCIM in Keycloak

  1. Access your Keycloak service and open the SCIM Administration console.

  2. Enable SCIM.

    On the Realm Management > Service Provider > Settings tab, turn on the SCIM Enabled switch. Leave the other settings at their default values: Case Insensitive Validation (off), Is User Federation Provider active (off), Table List Strategy (select User Entity Tables), Use default values on request (on), Use default values on response (on), Ignore missing required attributes on response (on), and Ignore missing required extensions on response (on).

  3. In the left-side navigation pane, select Remote SCIM Provider to configure the provisioning details.

    1. In the Connection Details section, for Base URL, enter the URL from the SCIM Service Provider Endpoint field on the Cloud SSO SCIM configuration page.

      Keep the other settings at their default values: for Table List Strategy, select User Entity Tables. Keep Send local id in requests and Send externalId as id in requests turned off. Set Max Patch Operations to 0, Request Timeout to 10, Socket Timeout to 10, and Connect Timeout to 5. Keep Hostname-Verifier Enabled turned on.

    2. In the Authentication section, for OAuth 2 Bearer Token, enter the SCIM secret from Step 1, then click Add.

      For Authentication Type, select Long Life Bearer Token Authentication.

  4. At the bottom of the page, click Save Configuration.

  5. In the left-side navigation pane, select Remote SCIM Provider to open the Remote SCIM Provider Overview page. Click Edit for the client you created.

  6. On the Remote Provider Detail tab, click Use Default Configuration at the bottom of the tab.

  7. At the top of the page, select the Realm Assignments tab. Find the realm you want to provision and click Assign to Realm in the Actions column.

    To remove an assignment later, click Unassign Realm.

  8. Select the Synchronization tab. Configure the synchronization settings, then click Count local and remote resources followed by Synchronize above resource range to start provisioning.

    Set Start Index (for example, 3), Count (for example, 50), Identifier attribute (select Username), Synchronization Strategy (select Get and (update or create) Strategy), and Maximum Parallel Requests (for example, 0). When provisioning completes, a green success message Synchronization has finished, all users were processed appears. On the Results tab, the Update: Success Messages section shows the number of updated users.

Verify provisioned users and groups

  1. Log on to the Cloud SSO console.

  2. In the user or group list, view the successfully provisioned users or groups.

The Provisioning Method for provisioned users or groups is automatically set to SCIM Provisioning.

For more information, see Basic operations and Basic operations.