Provide ability to add users to keycloak and assign groups/roles prior to the user logging on

[gil0109]

Goal: Add New Hire and required groups/roles prior to their first login

Sample Scenario:

• User is newly hired and needs access to application X on openshift using IDIR/Keycloak
• Application X requires user to be setup with groups/roles first.
• As part of hiring process, we order IDIR via OCIO, receive IDIR ID and add to Keycloak and assign groups prior to new hire logging on.
• Send user the IDIR and tempory IDIR password and have them login into application successfully.

Solution:

Duplicated a copy of first broker login

Added Create User If Unique (BCGOV) and disabled existing "Create User If Unique", by adding execution

Chose "Create User if Unique (BCGOV)

Move up to appropriate place and disable (or delete) the existing "Create User If Unique"

Update IDIR IDP: First Login Flow with new first broker login.

** ensure the following is in the mappers, otherwise add:

Name: idir_guid
Mapper Type: Attribute Importer
Claim: idir_userid
User Attribute Name: idir_user_guid

When creating a new user in keycloak:

1. User name should be in format: "@idir"
2. Add user attribute: idir_user_guid with the value of the IDIR GUID.

To find the guid in powershell:

Get-ADUser -Identity <idirid>

To find the guid in linux, install ldap-utils and type:

ldapsearch -LLL -x -h idir.BCGOV -D "<your idir>" -W -b "OU=BCGOV,DC=idir,DC=BCGOV" '(&(objectCategory=person)(objectClass=user)(sAMAccountName=<idirid>))' bcgovGUID

[idir]

Hey, you highlighted me. How can I help ?

[gil0109]

@idir It must have been a mistake. I apologize.

"User name should be in format: "@idir""

[zsamji]

closed and captured bcgov/sso-keycloak#68

[bruce-wh-li]

ldapsearch -LLL -x -h idir.BCGOV -D "joedoe@idir" -W -b "OU=BCGOV,DC=idir,DC=BCGOV" '(&(objectCategory=person)(objectClass=user)(sAMAccountName=janedoe))' bcgovGUID