Deployment Steps for Keycloak User Federation
Jira Link : https://project-sunbird.atlassian.net/browse/SC-911
Design Doc : Encrypting data stored within keycloak
Note: Take back up of keycloak database.
Steps :
- Checkout https://github.com/project-sunbird/sunbird-auth code and switch to release-1.15 branch and make build.
- Create providers folder inside keycloak
- Copy built jar (i.e.keycloak-email-phone-autthenticator-1.0-SNAPSHOT.jar) to providers folder
- Run the keycloak
- Login to admin console and click User Federation tab on left panel of the screen. As shown in fig.
- Select cassandra-storage-provider from Add provider drop down on the screen , then you will be redirected to screen as shown
- Click save button , It will generate one provider id as shown
- Copy this provider id and save this as env variable ( in learner-service) sunbird_keycloak_user_federation_provider_id , along with sunbird_authorization
sunbird_cassandra_host
sunbird_encryption_key
sunbird_sso_username
sunbird_sso_password
sunbird_sso_url
sunbird_sso_realm
sunbird_sso_client_id
sunbird_cs_base_url - Run below SQL queries on Keycloak database after replacing values for placeholders {PROVIDER_ID} and {realm name} in below query templates. Value of placeholders {PROVIDER_ID} and {realm name} is based on environment variables sunbird_keycloak_user_federation_provider_id and sunbird_sso_realm respectively.
Query Templates
insert into FEDERATED_USER(ID, STORAGE_PROVIDER_ID, REALM_ID)select concat('f:{PROVIDER_ID}:', USER_ENTITY.ID), '{PROVIDER_ID}', '{realm name}' from public.USER_ENTITY; insert into FED_USER_CREDENTIAL(ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, USER_ID, REALM_ID,STORAGE_PROVIDER_ID) select ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, concat('f:{PROVIDER_ID}:',USER_ID), '{realm name}', '{PROVIDER_ID}' from CREDENTIAL; insert into FED_USER_REQUIRED_ACTION(REQUIRED_ACTION, USER_ID, REALM_ID, STORAGE_PROVIDER_ID) select REQUIRED_ACTION, concat('f:{PROVIDER_ID}:', USER_ID), '{realm name}', '{PROVIDER_ID}' from USER_REQUIRED_ACTION;
Example:
{PROVIDER_ID} = 5a8a3f2b-3409-42e0-9001-f913bc0fde31
{realm name} = sunbird
insert into FEDERATED_USER(ID, STORAGE_PROVIDER_ID, REALM_ID) select concat('f:5a8a3f2b-3409-42e0-9001-f913bc0fde31:', USER_ENTITY.ID), '5a8a3f2b-3409-42e0-9001-f913bc0fde31', 'sunbird' from public.USER_ENTITY; insert into FED_USER_CREDENTIAL(ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, USER_ID, REALM_ID,STORAGE_PROVIDER_ID) select ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, concat('f:5a8a3f2b-3409-42e0-9001-f913bc0fde31:',USER_ID), 'sunbird', '5a8a3f2b-3409-42e0-9001-f913bc0fde31' from CREDENTIAL; insert into FED_USER_REQUIRED_ACTION(REQUIRED_ACTION, USER_ID, REALM_ID, STORAGE_PROVIDER_ID) select REQUIRED_ACTION, concat('f:5a8a3f2b-3409-42e0-9001-f913bc0fde31:', USER_ID), 'sunbird', '5a8a3f2b-3409-42e0-9001-f913bc0fde31' from USER_REQUIRED_ACTION;
10. Run the ETL to delete the user from keycloak. (To be run only in case of Sunbird upgrade)