Keycloak and AWS IAM Identity Center SCIM integration

[Walter Goulet]

Hi all,

After doing some research I found that there was no out of the box support for provisioning Keycloak users and groups to AWS. I've created a small project to address this need and I'd appreciate a few beta testers. This project implements an EventListener SPI to forward admin events for user/group creation/update/deletes to a Python program that implements an AWS IAM Identity Center SCIM client.

I'd love to get some feedback from the community on my approach here; I plan on blogging about this later after I get some initial feedback.

The project homepage is https://github.com/wgoulet/scim-keycloak-bridge; as noted above it is currently a beta release.

Thanks!

Walter 

[Stephen Morris]

Hi Walter

Looks like an interesting and useful project.

Will it include any automatic role setup in AWS for the new users being forwarded from Keycloak?

Best wishes

Stephen

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/5513b5f2-75eb-4346-8087-c909971b6935n%40googlegroups.com.

[Walter Goulet]

Hi Stephen,

Thanks for the feedback; I'm pretty excited to see community interest in this project! As for role setup, initially I was not thinking that role setup would be included as in my experience AWS admins usually use tools like Terraform to setup SSO permission sets and IAM policies to link to users/groups (basically treating entitlement management as a separate work stream from the user/group lifecycle management.)

However, I think that this could easily be achieved by adding support for event hooks to the SCIM client so that it can invoke additional commands (perhaps Terraform plans?) that will apply SSO permission sets to users/groups right after they are provisioned. I'll look into this.

Thanks again!

Walter

[Walter Goulet]

Hi Stephen,

I added some basic functionality to invoke an event hook when users are provisioned to AWS that allows you to set an AWS permission set right after a provisioning operation is completed. Feel free to take a look and let me know what you think of this approach! It's pretty basic in my example (a user attribute value is used to figure out which AWS permission set to map to a user). However I think the framework I have can easily be extended to perform more extensive evaluation of which permission sets to apply based on other criteria.

Thanks,

Walter

[Stephen Morris]

Sounds good Walter

Just a thought: Rather than automatically creating the AWS resources, would it be an idea to have some sort of user decision, e.g., an email to an admin user? Or some sort of basic workflow?

Best wishes

Stephen

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/564bf681-e6ff-41cd-bb3e-94774a6c009dn%40googlegroups.com.

[Walter Goulet]

Hi Stephen,

What you are describing is typical governance capabilities where end users request access to resources and there is a configurable workflow fired off to grant them access based on approvals and other conditions. I think that capability is probably beyond the scope of this particular project I had in mind (but is an interesting project on its own.) With the event hook support I added it certainly would be possible to fire off other scripts when attributes are added to users to assign them AWS access, but I don't plan on adding directly to this SCIM integration.

Thanks!

Walter