Realm Level SCIM to IDP Linking and Imdopdent User Creation#76
Open
ajishab wants to merge 9 commits into
Open
Conversation
Removed the step to publish jar to GitHub Packages from the workflow.
- Add identity provider linking functionality to UsersController - Add scim.link.idp and scim.identity.provider.alias configuration options - Support IdP linking during user create, update, and patch operations - Users are automatically linked to the configured IdP when externalId is provided - Organization users continue to use domain matching via kc.org.domain - Realm users use explicit IdP alias configuration - Update README with IdP linking configuration documentation
This reverts commit 0534e2d.
- Create new workflow for publishing developer images - Triggered only by workflow_dispatch (manual trigger) - Does not publish jar to GitHub Packages - Tags images with branch name and dev-<sha> prefix - Useful for testing and development without affecting releases
- Check if user already exists before creating - If user exists and email matches, add SCIM_MANAGED role and return existing user - Allows IdP-created users to be adopted by SCIM without errors - Prevents duplicate user creation when IdP first broker login runs before SCIM sync
- Check if user already exists before creating in organization context - If user exists and email matches, add SCIM_MANAGED role and return existing user - Also adds user to organization if not already a member - Allows IdP-created users to be adopted by organization SCIM without errors - Maintains consistency with realm-level user creation behavior
- Document idempotent user creation behavior in README - Explain common scenarios where users already exist before SCIM runs - Detail the adoption process with email verification - Clarify benefits of this approach for IdP and manual user creation - Add section between IdP linking and SCIM-managed users sections
- RealmScimServer was returning 409 CONFLICT before idempotent logic could run - This prevented adopting existing IdP-created users into SCIM management - UsersController already handles idempotent user creation properly - Remove redundant check to allow controller logic to execute
|
Contributor
|
Hi @ajishab, Thanks for this PR! I created a similar PR base on this one (#79) which focuses solely on linking the IDP user and also includes functional tests. What do you think about merging the other PR first and then updating this one to focus specifically on the idempotent user creation feature? That way, we can keep the changes more focused and easier to manage. Let me know what you think |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #73 #74
This adds identity provider linking at the Realm Level by introducing an attribute to specify the specific IDP alias you want to link with since the org level domain look up doesnt exist at realm level.
This also matches IDP created users to SCIM if everything matches. This comes in handy because SCIM runs on a schedule but you can have your IDP create on demand. When a user is added to the app on IDP they may attempt to login and get a user created before a SCIM sync. Then when they SCIM sync runs it would error with user already created. Now it wont error and SCIM will adopt the user.
Also added a dev deploy workflow to publish dev images for testing.