[midPoint] How to configure ConnId options?

Robin Gorris (SFPD) Robin.GORRIS at sfpd.fgov.be
Tue Jan 28 09:44:00 CET 2025 

Hello,

Thanks for the suggestion, it works now.

Kind regards,

[cid:image001.png at 01DB7169.25DB37B0]<http://www.sfpd.fgov.be/>

Robin Gorris

Build & Release
Federale Pensioendienst

Tel. +32 2 529 28 50<tel:%20+32 2 529 28 50>

[cid:image002.gif at 01DB7169.25DB37B0]<http://www.sfpd.fgov.be/> [cid:image003.gif at 01DB7169.25DB37B0] <http://mypension.be/>  [cid:image004.gif at 01DB7169.25DB37B0] <https://www.facebook.com/Pensioendienst>  [cid:image005.gif at 01DB7169.25DB37B0] <http://ow.ly/1059Df>  [cid:image006.gif at 01DB7169.25DB37B0] <https://twitter.com/Pensioendienst>  [cid:image007.gif at 01DB7169.25DB37B0] <http://ow.ly/1059Nc>  [cid:image008.gif at 01DB7169.25DB37B0] <https://www.youtube.com/channel/UCPhdJMkumaVUWvRiNcDsbzA>  [cid:image009.gif at 01DB7169.25DB37B0] <https://www.google.com/maps/place/Zuidertoren/@50.837610,4.336909,19z>
Denk aan het milieu vooraleer je dit bericht afdrukt!

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of h2-wada via midPoint
Sent: donderdag 23 januari 2025 5:13
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: h2-wada <h2-wada at nri.co.jp>
Subject: Re: [midPoint] How to configure ConnId options?

U ontvangt niet vaak e-mail van midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>. Ontdek waarom dit belangrijk is<https://aka.ms/LearnAboutSenderIdentification>
Hello,

I am the author of the Keycloak Connector.
If all you want to achieve is simply assigning a user to group(s), I think you should be able to accomplish this by setting fetchStrategy to explicit.

            <attribute>
                <c:ref>ri:groups</c:ref>
                <fetchStrategy>explicit</fetchStrategy>
            </attribute>

Here is a sample XML configuration:
https://github.com/openstandia/connector-keycloak/wiki/Example-configuration#complex-example-user-and-group

As Pavol mentioned, midPoint hardcodes the value of allowPartialAttributeValues. However, this only applies during search operation. When synchronization is actually executed, get is called if needed, and it should work correctly.
If it doesn’t work as expected, please let me know!


Best regards,

--
Hiroyuki Wada
h2-wada at nri.co.jp<mailto:h2-wada at nri.co.jp>

________________________________________
差出人: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> が Robin Gorris (SFPD) via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> の代理で送信
送信日時: 2025年1月21日 19:11
宛先: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
CC: Robin Gorris (SFPD)
件名: [midPoint] How to configure ConnId options?

Hello,

Is there a way to configure ConnId properties through MidPoint configuration?

Context: we’re evaluating the Keycloak connector from Openstandia, which has been working great.

When configuring the user-to-group mappings, we need to be able to set the allowPartialAttributeValues value so that the connector doesn’t skip retrieving group memberships, as I understand from this bit of code:

if (allowPartialAttributeValues) {
            // Suppress fetching groups
            LOGGER.ok("[{0}] Suppress fetching groups because return partial attribute values is requested", instanceName);

            AttributeBuilder ab = new AttributeBuilder();
            ab.setName(ATTR_GROUPS).setAttributeValueCompleteness(AttributeValueCompleteness.INCOMPLETE);
            ab.addValue(Collections.EMPTY_LIST);
            builder.addAttribute(ab.build());
        } else {
            if (attributesToGet == null) {
                // Suppress fetching groups default
                LOGGER.ok("[{0}] Suppress fetching groups because returned by default is true", instanceName);

            } else if (shouldReturn(attributesToGet, ATTR_GROUPS)) {
                // Fetch groups
                LOGGER.ok("[{0}] Fetching groups because attributes to get is requested", instanceName);

                List<GroupRepresentation> groups = users(realmName).get(user.getId()).groups();
                builder.addAttribute(ATTR_GROUPS, groups.stream().map(g -> g.getId()).collect(Collectors.toList()));
            }
        }

The allowPartialAttributeValues variable is a ConnID Operation Option, for which I found the JavaDoc here: OperationOptions (ConnId 1.5.2.0 API)<https://connid.tirasa.net/apidocs/1.5/org/identityconnectors/framework/common/objects/OperationOptions.html#OP_ALLOW_PARTIAL_ATTRIBUTE_VALUES>

The MidPoint version we’re using is 4.8.5.

Regardless of our specific context, it would be good to know if and how ConnId options can be set through MidPoint configuration. I highly appreciate your feedback.

Kind regards,

[cid:image001.png at 01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/>

Robin Gorris

Build & Release
Federale Pensioendienst

[cid:image002.gif at 01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/> [cid:image003.gif at 01DB6BF1.F23E4860] <http://mypension.be/>  [cid:image004.gif at 01DB6BF1.F23E4860] <https://www.facebook.com/Pensioendienst>  [cid:image005.gif at 01DB6BF1.F23E4860] <http://ow.ly/1059Df>  [cid:image006.gif at 01DB6BF1.F23E4860] <https://twitter.com/Pensioendienst>  [cid:image007.gif at 01DB6BF1.F23E4860] <http://ow.ly/1059Nc>  [cid:image008.gif at 01DB6BF1.F23E4860] <https://www.youtube.com/channel/UCPhdJMkumaVUWvRiNcDsbzA>  [cid:image009.gif at 01DB6BF1.F23E4860] <https://www.google.com/maps/place/Zuidertoren/@50.837610,4.336909,19z>
Denk aan het milieu vooraleer je dit bericht afdrukt!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2042 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 1295 bytes
Desc: image002.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0008.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 1224 bytes
Desc: image003.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0009.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 1456 bytes
Desc: image004.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0010.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 1476 bytes
Desc: image005.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0011.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.gif
Type: image/gif
Size: 1468 bytes
Desc: image006.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0012.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.gif
Type: image/gif
Size: 1146 bytes
Desc: image007.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0013.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.gif
Type: image/gif
Size: 1282 bytes
Desc: image008.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0014.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.gif
Type: image/gif
Size: 1465 bytes
Desc: image009.gif
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250128/dd50bc1e/attachment-0015.gif>

More information about the midPoint mailing list