SCIM support

[xgp]

• Need to have an Admin API for creating new providers (true for both types – like we do IdPs)
• Auth is bearer token - we’ll have to persist this or generate long-lived for org admin user
• What other configuration do we need to persist?
• Events/Webhooks must be fired on data change events

Users

• Schema can be built based on the declarative user profile

Groups

• Do we need to represent nested Groups, or just flat?
• Do we need to attach the roles to Groups?
• How do we allow Groups crud while associating with an org?

start https://github.com/xgp/keycloak-scim

[lsmith77]

is there an ETA for this? how much effort do you expect this will be?

[xgp]

There is no ETA. We have completed a prototype validating that our approach (using User Federation provider as the means of configuring the SCIM server) is viable, but we have not prepared that extension for release. Making it also available for organizations requires a strategy for filtering User CRUD that has not yet been designed. If we have more customer interest, we'll prioritize this higher.

[lsmith77]

OK thank you for the update. We have such an integration implemented in PHP in our current bespoke Oauth solution. We will evaluate if we will update it to work with Keycloak/P2 or we might collaborate on getting this done inside P2.