On Аўт, 14 мая 2024, Manuel Linsmayer via FreeIPA-users wrote:
Hello,
I've connected FreeIPA to Dex and Keycloak, which works fine. However, there are two features I'm missing, which would make life a lot easier:
- Automatic creation of user account upon first "login" -- at the
moment, the FreeIPA user has to be created upfront, and the "IdP reference" has to be set. If the "preferred username" from the IdP can be the same as the username in FreeIPA, then the FreeIPA account could be provisioned automatically.
- Evaluation of group memberships from Userinfo endpoint -- upon every
login, group memberships should be adapted. This way, group memberships could be managed in the IdP system.
These questions need to be asked from those IdPs. Depending on how they implement their retrieval of user data from IPA, they probably will need to improve. I suspect you are using something that talks directly to LDAP and thus has a need to create accounts via LDAP with enough privileges to do so. Same for group membership -- somebody has to re-evaluate those group details after a change and that change at LDAP side might be not noticed by the IdP.
Or are there any other features available to "ease" and "streamline" the integration between IdP and FreeIPA?
We are working on a companion project that attempts to create a new backend to Keycloak. It uses SSSD as a backend itself but is able to set things up in such way that autocreation of users happens automatically through IPA API.
See https://github.com/freeipa/ipa-tuura/ and FOSDEM 2024's talk for more details.
FOSDEM talk: https://fosdem.org/2024/schedule/event/fosdem-2024-2618-ipa-tuura-freeipa-co...