Hi Team, I am trying to setup OIDC (Keycloak) on o...
# gooddata-cn
Hi Team, I am trying to setup OIDC (Keycloak) on out GoodData.CN CE 2.2.0 version, I have all needed oauthClientID and Secret, As documentation says Keycloak is not supported by default and must be whitelisted, What should I do to config this and make it work. Many thanks, David
I'm not aware of any mention of Keycloak not supported in our docs. Keycloak provides discovery document (on https://keycloak.server.com/auth/realms/{your-realm}/.well-known/openid-configuration), so it should work out of the box, if I'm not mistaken. When updating OIDC config for your organization, you need to set
and properly configure Oauth2 client in Keycloak, as described in https://www.gooddata.com/developers/cloud-native/doc/cloud/manage-deployment/set-up-authentication/external-oidc/
Hi @Robert Moucha, yes. Currently I have some users created under internal IP. When I configure external IP keycloak which seems to be correct after PUT request on organization
Screenshot 2022-12-07 at 8.24.52.png
So all existing users in platform are now useless right? We have prepared one test account under keycloak but it was not working until I created that user mapping on
Copy code
to group.
Also I tried to sign in with new google account, and I expect it was created under keycloak but account didnt work until mapping user to group. How this normally works? How the user accounts are provisioned in GD.CN platform and mapped to authId on IP? How is done group mapping for different permissions?
I have seen something with Invite action which is not available for me yet. Does that do automatic user provisioning in system? How can you configure it? Many thanks, David.
Hi @David Chobotsky, • Users cannot be automatically provisioned to GD.CN now. You have to setup each user (with its corresponding
) manually or you can implement your custom provisioning service (e.g. by using SCIM). • The permissions system is designed in the way that you can assign particular permission to either a user or a group. This means: ◦ you can create user groups with particular permissions and start assigning users to these groups ◦ you can assign permissions to individual users, but maintaining per-user permissions is harder than doing it for groups See more about permissions here. • The “Invite” action is available only in the GoodData Cloud platform and only in the case when the
entitlement is enabled. • The Keycloak must be at least within the same network as the GD.CN, because the GD.CN directly calls IdP endpoints like
that Robert mentioned or the
endpoint which provides the OAuth2 “access token”. Hopefully I answered all your questions. FYI, we are thinking that we will implement the Just-In-Time user provisioning for both GD.CN and Cloud platforms, so stay tuned!
many thanks I will read it and review all info in docs
🎉 New note created.