
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">

</head>

<body>

<div dir="ltr"><font size="2"><span style="font-size:11pt;">

<div class="PlainText">Hello,<br>

</div>

<div class="PlainText"><br>

I am the author of the Keycloak Connector.<br>

If all you want to achieve is simply assigning a user to group(s), I think you should be able to accomplish this by setting fetchStrategy to explicit.<br>

<br>

            <attribute><br>

                <c:ref>ri:groups</c:ref><br>

                <fetchStrategy>explicit</fetchStrategy><br>

            </attribute><br>

<br>

Here is a sample XML configuration:<br>

<a href="https://github.com/openstandia/connector-keycloak/wiki/Example-configuration#complex-example-user-and-group">https://github.com/openstandia/connector-keycloak/wiki/Example-configuration#complex-example-user-and-group</a><br>

<br>

As Pavol mentioned, midPoint hardcodes the value of allowPartialAttributeValues. However, this only applies during search operation. When synchronization is actually executed, get is called if needed, and it should work correctly.<br>

If it doesn$B!G(Bt work as expected, please let me know!<br>

<br>

<br>

Best regards,<br>

<br>

--<br>

Hiroyuki Wada<br>

h2-wada@nri.co.jp<br>

<br>

________________________________________<br>

$B:9=P?M(B: midPoint <midpoint-bounces@lists.evolveum.com> $B$,(B Robin Gorris (SFPD) via midPoint <midpoint@lists.evolveum.com> $B$NBeM}$GAw?.(B<br>

$BAw?.F|;~(B: 2025$BG/(B1$B7n(B21$BF|(B 19:11<br>

$B08@h(B: midpoint@lists.evolveum.com<br>

CC: Robin Gorris (SFPD)<br>

$B7oL>(B: [midPoint] How to configure ConnId options?<br>

<br>

Hello,<br>

<br>

Is there a way to configure ConnId properties through MidPoint configuration?<br>

<br>

Context: we$B!G(Bre evaluating the Keycloak connector from Openstandia, which has been working great.<br>

<br>

When configuring the user-to-group mappings, we need to be able to set the allowPartialAttributeValues value so that the connector doesn$B!G(Bt skip retrieving group memberships, as I understand from this bit of code:<br>

<br>

if (allowPartialAttributeValues) {<br>

            // Suppress fetching groups<br>

            LOGGER.ok("[{0}] Suppress fetching groups because return partial attribute values is requested", instanceName);<br>

<br>

            AttributeBuilder ab = new AttributeBuilder();<br>

            ab.setName(ATTR_GROUPS).setAttributeValueCompleteness(AttributeValueCompleteness.INCOMPLETE);<br>

            ab.addValue(Collections.EMPTY_LIST);<br>

            builder.addAttribute(ab.build());<br>

        } else {<br>

            if (attributesToGet == null) {<br>

                // Suppress fetching groups default<br>

                LOGGER.ok("[{0}] Suppress fetching groups because returned by default is true", instanceName);<br>

<br>

            } else if (shouldReturn(attributesToGet, ATTR_GROUPS)) {<br>

                // Fetch groups<br>

                LOGGER.ok("[{0}] Fetching groups because attributes to get is requested", instanceName);<br>

<br>

                List<GroupRepresentation> groups = users(realmName).get(user.getId()).groups();<br>

                builder.addAttribute(ATTR_GROUPS, groups.stream().map(g -> g.getId()).collect(Collectors.toList()));<br>

            }<br>

        }<br>

<br>

The allowPartialAttributeValues variable is a ConnID Operation Option, for which I found the JavaDoc here: OperationOptions (ConnId 1.5.2.0 API)<<a href="https://connid.tirasa.net/apidocs/1.5/org/identityconnectors/framework/common/objects/OperationOptions.html#OP_ALLOW_PARTIAL_ATTRIBUTE_VALUES">https://connid.tirasa.net/apidocs/1.5/org/identityconnectors/framework/common/objects/OperationOptions.html#OP_ALLOW_PARTIAL_ATTRIBUTE_VALUES</a>><br>

<br>

The MidPoint version we$B!G(Bre using is 4.8.5.<br>

<br>

Regardless of our specific context, it would be good to know if and how ConnId options can be set through MidPoint configuration. I highly appreciate your feedback.<br>

<br>

Kind regards,<br>

<br>

[cid:image001.png@01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/><br>

<br>

Robin Gorris<br>

<br>

Build & Release<br>

Federale Pensioendienst<br>

<br>

[cid:image002.gif@01DB6BF1.F23E4860]<http://www.sfpd.fgov.be/> [cid:image003.gif@01DB6BF1.F23E4860] <<a href="http://mypension.be/">http://mypension.be/</a>>  [cid:image004.gif@01DB6BF1.F23E4860] <<a href="https://www.facebook.com/Pensioendienst">https://www.facebook.com/Pensioendienst</a>> 

 [cid:image005.gif@01DB6BF1.F23E4860] <<a href="http://ow.ly/1059Df">http://ow.ly/1059Df</a>>  [cid:image006.gif@01DB6BF1.F23E4860] <<a href="https://twitter.com/Pensioendienst">https://twitter.com/Pensioendienst</a>>  [cid:image007.gif@01DB6BF1.F23E4860] <<a href="http://ow.ly/1059Nc">http://ow.ly/1059Nc</a>> 

 [cid:image008.gif@01DB6BF1.F23E4860] <<a href="https://www.youtube.com/channel/UCPhdJMkumaVUWvRiNcDsbzA">https://www.youtube.com/channel/UCPhdJMkumaVUWvRiNcDsbzA</a>>  [cid:image009.gif@01DB6BF1.F23E4860] <<a href="https://www.google.com/maps/place/Zuidertoren/@50.837610,4.336909,19z">https://www.google.com/maps/place/Zuidertoren/@50.837610,4.336909,19z</a>><br>

Denk aan het milieu vooraleer je dit bericht afdrukt!<br>

<br>

</div>

</span></font></div>

</body>

</html>