Create an identity provider in keycloak when adding a tenant to the consortia

Description

Purpose: To enable the Central realm to recognize and authenticate users from non-Central (institutional) tenant realms.

  • Action: When a tenant is added to the Consortium, an Identity Provider must be created in the Keycloak realm representing the Central tenant. This Identity Provider should point to the Keycloak realm that represents the non-Central tenant being added.

  • Details:

    • The mod-consortia-keycloak module, responsible for management of the consortia, should automate the creation of Identity Providers in the Central realm whenever a new tenant is added to the Consortium.

    • This setup allows the Central realm to delegate authentication to the appropriate tenant realm based on the user's home institution.

See

Scope:

  • Creation of identity providers in keycloak when tenants are added to consortia

  • Removal of identity providers when tenants are removed from consortia is out of scope and will be addressed in a separate story

  • A feature flag (e.g. SINGLE_TENANT_UX=true|false) should enable/disable this functionality since it’s not always applicable. For consortium using either the explicit tenant selection login flow, or always log into the central tenant, we do not need this.

Acceptance Criteria

  • When the new feature flag is set to true, identity providers in keycloak are created when tenants are added to consortia

  • Identity providers should NOT be created when the feature flag is absent (unspecified), or set to false.

  • This functionality works with the latest version of Keycloak adopted by Folio (26.x as of )

    • NOTE: It may make sense to use the most recent keycloak client v26.0.4 as of (See ) from the start here to avoid unnecessary technical debt.

  • Tests are updated and coverage is 80%+


Refinement Notes/Considerations

  • Despite the module name, mod-consortia-keycloak may not yet actually interact directly with Keycloak. Do we need a separate story for this?

  • The spike write-up indicates that this work is in scope of mgr-tenants, but I think that’s a mistake. I don’t think the tenant manger is aware of consortia membership.

  • Thunderjet may be able to take this work on.

Environment

None

Potential Workaround

None

Checklist

hide

Activity

Show:

Serhii_Nosko February 24, 2025 at 9:39 AM

New integration with Keycloak API was added to mod-consortia-keycloak together with implementing logic to create/delete identity providers in scope of this PR: https://github.com/folio-org/mod-consortia-keycloak/pull/153 , looks good.

Separate endpoint to create Identity providers also created in order to support this functionality for an existing consortia that have all tenants setup. Migration of existing users also would be invoked into these endpoints in scope of story

Verification screens are attached to the related PR and was demoed, closing this story as Done.

Done

Details

Assignee

Reporter

Priority

Story Points

Sprint

Development Team

Thunderjet

Fix versions

Release

Sunflower (R1 2025)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created January 24, 2025 at 7:18 PM
Updated February 24, 2025 at 9:39 AM
Resolved February 24, 2025 at 9:39 AM
TestRail: Cases
TestRail: Runs