We are connecting our Keycloak server to AD and it’s configured so changes in AD get stored in Keycloak’s Database. The final goal is to have our Application’s DB synchronised and we are succeeding so far, except for the User Group Memberships.
Here is what we have tried so far:
A Group Mapper has been created, connecting it to AD. We have tried with the 3 available modes: LDAP_ONLY, READ_ONLY and IMPORT with no success in any case.
When we add or remove a Group from a user in AD (with no other change) and in User Federation we sync for “changed users”, Group changes are not detected at all (Sync of users finished successfully.0 users added, 0 users updated, 0 users removed, 0 users failed.).
We have created a custom Event Listener. When synching, no normal Event is dispatched. An Admin Event is dispatched but no info about the User neither about the Group comes with the Event (only Info about the Realm).
A custom implementation of LDAPStorageMapper has been done. None of the methods are executed when synching and only Group changes were done in AD (I would expect at least syncDataFromFederationProviderToKeycloak to be executed).
Keycloak Tables USER_GROUP_MEMBERSHIP and FED_USER_GROUP_MEMBERSHIP are empty. Even after trying with the aforementioned Modes LDAP_ONLY, READ_ONLY and IMPORT.
When going to User Details in Keycloak, tab Groups:
With mode LDAP_ONLY no need for sync. The Groups show up there updated before synching.
With mode IMPORT. No Group is shown, neither before nor after synching.
With mode READ_ONLY. Groups are shown, but for them to be updated Users changed sync need to be don.
When getting the user from Keycloak's REST API attribute modifyTimestamp stays unchanged, even after trying all previous steps.
All we need is to find out which users were changed since last sync so we can update their Groups. Any tip on that? Am I missing any table, event, configuration… for that?
Any help is greatly appreciated.
Related
I have an Hybrid AD and AAD enviroment. We use AzureAD to provision users and attributes to one of our SaaS solutions. One for those is the "manager" attribute. The problem is that once the manager value has been set once, it does not update. And since the users are synced from onprem, the manager field is in "read only"-mode and there is no way for me to update it.
When i change the value on one of my users and run a sync to AzureAD i can see that there are 1 change to the export attribute flow and Updates to the Delta Import. But in AAD the old value persists.
I ran the Sync troubleshooter and checked for sync issues in AAD, but there are no indicated errors. Everything else seems to work and sync as intended. Anyone know if there is anything special with "manager"? Any help would be appritiated.
In my site the guest users have access to the flow and they able to run the flow and even create records. When the flow try to find the created record the next error accrue:
Because Get_Record is passed to an action, subflow, or Lightning component, store the values of all Request_for_ChemTox__c fields that the running user has access to.
I gave access to every field for that user and still keep getting this error.
Any ideas?
It's probably not field level security (~table columns) but whole record's security (~table rows).
Check your site/community/experience settings as described in this article: https://help.salesforce.com/s/articleView?id=000352970&type=1. If there's something set - the ownership of created record is immediately transferred over to that internal user and guest loses visibility. It sucks but it's there to protect you, makes sure that if you have for example Leads or Cases submitted by guest users - they immediately "disappear", guest/hacker can't report on them, experiment with IDs in the url to learn other people's data...
You can Check Setup -> Sharing Settings for this object and create new sharing rule. (I can't upload image right now but start making new sharing rule with step 2 "rule type = Guest user access, based on criteria")
https://help.salesforce.com/s/articleView?id=sf.networks_guest_record_default_owner_best_practices.htm&type=5 has some good tips too:
If you’d like to create a different experience for guest users, use
flows in System Mode to redirect guest users to a different custom
screen after they create a record
I've set up Zoom and DocuSign with SSO and Automatic provisioning in Azure AD Enterprise Applications. Just in Time provisioning works as expected after ensuring roles are correctly mapped. Automatic provisioning however only appears to add users the first time it runs. If I add an application user, change a user's Application Role, or Remove the user from the application nothing happens on the next provisioning run. I would expect the user to be added, the user's permissions to be updated at Zoom or DocuSign, or for the user to be disabled.
Documentation seems to show that updates and deletes should be handled through provisioning. What am I missing?
Second question is whether the timing of how often provisioning job runs can be changed. It is time consuming to test when I have to wait 40 minutes between tests.
updates and deletes are handled if they are configured to. https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal#configuring-automatic-user-account-provisioning
in the screenshot, you'll see there is actions that it can target, create, update, delete. if those are all selected, As a test, you should make sure the target actions are selected and try to change a different attribute, say add some characters to a name or something. it should trigger and update to the provider.
I believe changes of the User itself will trigger the provisioning changes,
The issue here is likely because app roles are specific to applications, they are not user or group attributes, nothing has actually changed on that user object. so it wouldn't detect any changes.
as per: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles
it will "Query the source system for any users and groups that were updated since the last watermark was stored."
if I take that literally, then changing the app role isn't a change to a user or a group, so it won't trigger a delta sync change
Deletes however should occur, if you unassign the user from the application. as per here: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#de-provisioning
as for your second question, the interval I don't believe you can change that for the incremental schedules.
I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here
The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.
Is there any other better method?
You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)
AuditLogs
| where TimeGenerated >= ago(1h)
| where OperationName == "Add member to group"
Sample:
You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.
a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.
So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.
We have several external systems that work of the Display Name value in Active Directory. When a new account in AD is created, corresponding accounts in other applications are automatically created. When someone changes the display name of an existing user, the login for that user is no longer valid in other systems.
Is there a way to get an email notification or similar whenever the display name for an existing record is changed in AD?
If you have access to your domain controllers
Active Directory has certain "audit policies" that describes what it generates events for (in the Windows Event Viewer on each domain controller). Each can be turned on or off. The "Account Management" audit policy would generate events for changes to accounts. I believe the event contains the attributes changed. You can read more about those policies here.
If that policy is enabled in your environment, and you have access to the domain controllers, you could setup scheduled tasks on each domain controller with event-based triggers that fires when event ID 4738 happens (event IDs are listed here).
The scheduled task can then run a script that can do whatever you want it to. There are instructions here on how to run a PowerShell script on an event and to get the event that triggered it in the script.
If you don't have access to your DCs
Otherwise, you would need to keep a separate database mapping a unique identifier of each account (like the objectGuid) to the display name, and have a scheduled job that updates that and notices changes. You can read here about how to search AD for accounts changed after a certain date, which you can use to only find accounts that have been changed since the last time the job ran.