Create an identity provider in keycloak when adding a tenant to the consortia
Description
Environment
None
Potential Workaround
None
Checklist
hideActivity
Show:
Serhii_Nosko February 24, 2025 at 9:39 AM
New integration with Keycloak API was added to mod-consortia-keycloak together with implementing logic to create/delete identity providers in scope of this PR: https://github.com/folio-org/mod-consortia-keycloak/pull/153 , looks good.
Separate endpoint to create Identity providers also created in order to support this functionality for an existing consortia that have all tenants setup. Migration of existing users also would be invoked into these endpoints in scope of story https://folio-org.atlassian.net/browse/MODCONSKC-70
Verification screens are attached to the related PR and was demoed, closing this story as Done.
Done
Details
Details
Assignee
Saba Zedginidze
Saba ZedginidzeReporter
Craig McNally
Craig McNallyPriority
P2Story Points
3
Sprint
None
Development Team
Thunderjet
Fix versions
Release
Sunflower (R1 2025)
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created January 24, 2025 at 7:18 PM
Updated February 24, 2025 at 9:39 AM
Resolved February 24, 2025 at 9:39 AM
TestRail: Cases
TestRail: Runs
Purpose: To enable the Central realm to recognize and authenticate users from non-Central (institutional) tenant realms.
Action: When a tenant is added to the Consortium, an Identity Provider must be created in the Keycloak realm representing the Central tenant. This Identity Provider should point to the Keycloak realm that represents the non-Central tenant being added.
Details:
The
mod-consortia-keycloakmodule, responsible for management of the consortia, should automate the creation of Identity Providers in the Central realm whenever a new tenant is added to the Consortium.This setup allows the Central realm to delegate authentication to the appropriate tenant realm based on the user's home institution.
See https://folio-org.atlassian.net/wiki/spaces/FOLIJET/pages/614203451/EUREKA-72+Investigate+options+consortia+UI+bundles#Prerequisites
Scope:
Creation of identity providers in keycloak when tenants are added to consortia
Removal of identity providers when tenants are removed from consortia is out of scope and will be addressed in a separate story
A feature flag (e.g. SINGLE_TENANT_UX=true|false) should enable/disable this functionality since it’s not always applicable. For consortium using either the explicit tenant selection login flow, or always log into the central tenant, we do not need this.
Acceptance Criteria
When the new feature flag is set to true, identity providers in keycloak are created when tenants are added to consortia
Identity providers should NOT be created when the feature flag is absent (unspecified), or set to false.
This functionality works with the latest version of Keycloak adopted by Folio (26.x as of Jan 24, 2025)
NOTE: It may make sense to use the most recent keycloak client v26.0.4 as of Jan 24, 2025 (See https://www.keycloak.org/2025/01/keycloak-client-2604) from the start here to avoid unnecessary technical debt.
Tests are updated and coverage is 80%+
Refinement Notes/Considerations
Despite the module name, mod-consortia-keycloak may not yet actually interact directly with Keycloak. Do we need a separate story for this?
The spike write-up indicates that this work is in scope of mgr-tenants, but I think that’s a mistake. I don’t think the tenant manger is aware of consortia membership.
Thunderjet may be able to take this work on.