David Chobotsky
12/06/2022, 11:08 AMRobert Moucha
12/06/2022, 2:30 PMoauthIssuerLocation
to <https://keycloak.server.com/auth/realms/{your-realm}>
and properly configure Oauth2 client in Keycloak, as described in https://www.gooddata.com/developers/cloud-native/doc/cloud/manage-deployment/set-up-authentication/external-oidc/David Chobotsky
12/07/2022, 7:42 AMDavid Chobotsky
12/07/2022, 7:44 AMDavid Chobotsky
12/07/2022, 7:48 AMauthenticationId
to group.David Chobotsky
12/07/2022, 7:52 AMDavid Chobotsky
12/07/2022, 7:54 AMPeter Plochan
12/07/2022, 1:24 PMauthenticationId
) manually or you can implement your custom provisioning service (e.g. by using SCIM).
• The permissions system is designed in the way that you can assign particular permission to either a user or a group. This means:
◦ you can create user groups with particular permissions and start assigning users to these groups
◦ you can assign permissions to individual users, but maintaining per-user permissions is harder than doing it for groups
See more about permissions here.
• The “Invite” action is available only in the GoodData Cloud platform and only in the case when the ManagedOIDC
entitlement is enabled.
• The Keycloak must be at least within the same network as the GD.CN, because the GD.CN directly calls IdP endpoints like /openid-configuration
that Robert mentioned or the /token
endpoint which provides the OAuth2 “access token”.
Hopefully I answered all your questions.
FYI, we are thinking that we will implement the Just-In-Time user provisioning for both GD.CN and Cloud platforms, so stay tuned!David Chobotsky
12/08/2022, 9:14 AMProductboard
01/09/2023, 8:20 AM