I am using the aps 1.9. i have integrated aps with keycloak. i am able to log in only if user is available in both aps and keycloak. so, how to sync aps(users) with keycloak?
Have a look at this post it might be useful
SwazzyNotes, Designs, and SolutionsUser Synchronization in APS from Keycloak
One way is to configure both APS and Keycloak to sync against an LDAP server.
hey Bassam Al-Sarori, i am having multiple ldap connected with keycloak. how do i sync in APS here?. ie i have to write custom extension. is there any pointer to do that?
APS doesn't read from multiple LDAP servers so yes you'll need to write a custom extension.
You can implement ExternalIdmSourceSyncService (or extend AbstractExternalIdmSourceSyncService) to write your own sync logic see an example here Example implementation | Alfresco Documentation
In future, if client wants a social login or some login feature, again i have to do some stuff.
so instead of writing custom extension to sync multiple ldap, i can sync with keycloak right. From keycloak i can do remaining stuff without affecting existing flow.
thanks for the pointers Bassam Al-Sarori .
it will be good if you add this feature to aps.
hi Bassam Al-Sarori, this is like repeating the same task(multiple ldap config) in both keycloak and aps. so i don't want to write custom exception to sync multiple ldap. is there any other way?.
hey Bassam Al-Sarori, how do i configure super admin user in keycloak ?
i have changed the following properties in activiti-app.properties like below,
In keycloak, i have created super admin group. am i missing something? feel free to correct me.
The default admin user needs to be created in APS so you need to set those properties. Then create the same user on Keycloak.
I got one issue when trying the above suggestion. After syncing with keycloak, it is creating one more entry in the USER table. ie there are two entries with same email id(firstname.lastname@example.org). so i am getting error (below)
javax.persistence.NonUniqueResultException: result returns more than one elements
To avoid this problem, i was trying like the above.
hmm.. the admin user needs to be always created in APS. In case of LDAP sync that didn't cause any issues. I guess that you shouldn't create that user in Keycloak. You can set another user to have super admin permissions.
How can i set super user permission?.
i can add one entry in db manually. but is it a correct approach?. can i use this approach in production Machine ?.
You might have to write extension code or maybe the custom sync code should make sure to grant a specific user super admin permissions.
thanks the suggestion Bassam Al-Sarori.
Actually, we are having one app in production which was deployed in admin user(email@example.com). Now client wants multiple AD support to our application. So we are going with keycloak approach. I am planning sync all the users except admin user from keycloak. is it a correct approach. can you please suggest what kind of approach i have follow?
Not synchronising the admin user seems the only solution for now.
Retrieving data ...