[midPoint] How to configure ConnId options?
h2-wada
h2-wada at nri.co.jp
Thu Jan 23 05:13:01 CET 2025
Hello,
I am the author of the Keycloak Connector.
If all you want to achieve is simply assigning a user to group(s), I think you should be able to accomplish this by setting fetchStrategy to explicit.
<attribute>
<c:ref>ri:groups</c:ref>
<fetchStrategy>explicit</fetchStrategy>
</attribute>
Here is a sample XML configuration:
https://github.com/openstandia/connector-keycloak/wiki/Example-configuration#complex-example-user-and-group
As Pavol mentioned, midPoint hardcodes the value of allowPartialAttributeValues. However, this only applies during search operation. When synchronization is actually executed, get is called if needed, and it should work correctly.
If it doesn’t work as expected, please let me know!
Best regards,
--
Hiroyuki Wada
h2-wada at nri.co.jp
________________________________________
差出人: midPoint <midpoint-bounces at lists.evolveum.com> が Robin Gorris (SFPD) via midPoint <midpoint at lists.evolveum.com> の代理で送信
送信日時: 2025年1月21日 19:11
宛先: midpoint at lists.evolveum.com
CC: Robin Gorris (SFPD)
件名: [midPoint] How to configure ConnId options?
Hello,
Is there a way to configure ConnId properties through MidPoint configuration?
Context: we’re evaluating the Keycloak connector from Openstandia, which has been working great.
When configuring the user-to-group mappings, we need to be able to set the allowPartialAttributeValues value so that the connector doesn’t skip retrieving group memberships, as I understand from this bit of code:
if (allowPartialAttributeValues) {
// Suppress fetching groups
LOGGER.ok("[{0}] Suppress fetching groups because return partial attribute values is requested", instanceName);
AttributeBuilder ab = new AttributeBuilder();
ab.setName(ATTR_GROUPS).setAttributeValueCompleteness(AttributeValueCompleteness.INCOMPLETE);
ab.addValue(Collections.EMPTY_LIST);
builder.addAttribute(ab.build());
} else {
if (attributesToGet == null) {
// Suppress fetching groups default
LOGGER.ok("[{0}] Suppress fetching groups because returned by default is true", instanceName);
} else if (shouldReturn(attributesToGet, ATTR_GROUPS)) {
// Fetch groups
LOGGER.ok("[{0}] Fetching groups because attributes to get is requested", instanceName);
List<GroupRepresentation> groups = users(realmName).get(user.getId()).groups();
builder.addAttribute(ATTR_GROUPS, groups.stream().map(g -> g.getId()).collect(Collectors.toList()));
}
}
The allowPartialAttributeValues variable is a ConnID Operation Option, for which I found the JavaDoc here: OperationOptions (ConnId 1.5.2.0 API)<https://connid.tirasa.net/apidocs/1.5/org/identityconnectors/framework/common/objects/OperationOptions.html#OP_ALLOW_PARTIAL_ATTRIBUTE_VALUES>
The MidPoint version we’re using is 4.8.5.
Regardless of our specific context, it would be good to know if and how ConnId options can be set through MidPoint configuration. I highly appreciate your feedback.
Kind regards,
[cid:image001.png at 01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/>
Robin Gorris
Build & Release
Federale Pensioendienst
[cid:image002.gif at 01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/> [cid:image003.gif at 01DB6BF1.F23E4860] <http://mypension.be/> [cid:image004.gif at 01DB6BF1.F23E4860] <https://www.facebook.com/Pensioendienst> [cid:image005.gif at 01DB6BF1.F23E4860] <http://ow.ly/1059Df> [cid:image006.gif at 01DB6BF1.F23E4860] <https://twitter.com/Pensioendienst> [cid:image007.gif at 01DB6BF1.F23E4860] <http://ow.ly/1059Nc> [cid:image008.gif at 01DB6BF1.F23E4860] <https://www.youtube.com/channel/UCPhdJMkumaVUWvRiNcDsbzA> [cid:image009.gif at 01DB6BF1.F23E4860] <https://www.google.com/maps/place/Zuidertoren/@50.837610,4.336909,19z>
Denk aan het milieu vooraleer je dit bericht afdrukt!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250123/764cea62/attachment.htm>
More information about the midPoint
mailing list