cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya Using Keycloak as SCIM Provider

Started ‎12-03-2024 by
Modified ‎12-03-2024 by
Views 1,306

In the last post we discussed the concept of using multiple SCIM providers with a single SAS Viya environment. In this post I want to dive into more details on using Keycloak as a SCIM provider with SAS Viya.

 

SAS Viya Configuration

 

The SAS Viya configuration is independent of the chosen SCIM provider. The SAS Viya configuration is covered in the documentation. I would recommend if configuring multiple SCIM providers with SAS Viya that separate SAS Logon Manager client registrations are made. Allowing you to have separately managed long-term access tokens for each of the SCIM providers you are configuring.

 

Keycloak Requirements

 

Keycloak is an Open-Source Identity and Access Management solution. Keycloak is a Cloud Native Computing Foundation incubation project. Keycloak can be installed locally on a Linux or Windows server, it could be run in a container, or even deployed to Kubernetes. There are even several different offerings available in the various cloud marketplaces, such as Azure Marketplace.

 

Keycloak has built-in support for OpenID Connect and SAML authentication protocols. Keycloak also has built-in support to connect to existing LDAP or Active Directory servers. You can also implement your own provider if you have users in other stores, such as a relational database. However, Keycloak does not have built-in support for SCIM version 2.0. There is an open issue requesting this support but this does not seem to be on the current road map. Instead, an add-on product SCIM for Keycloak - https://scim-for-keycloak.de/ has been developed by Pascal Knüppel.

 

SCIM for Keycloak

 

SCIM for Keycloak is an extension plugin that provides SCIM server functionality for Keycloak. That means you will be able to synchronize users and groups from products like Microsoft Entra ID, Sailspoint, Atlassian and others with Keycloak. It also includes a SCIM Client. The SCIM Client functionality synchronizes your users/groups with other identity providers supporting the SCIM protocol.

 

SCIM for Keycloak is not open source. There is a free edition and an enterprise edition. The free edition only supports less than 1000 users, less than 100 groups, and has a license key renewal every 14 days. The enterprise edition supports unlimited users and groups, no license key is required, updates are included for 1 year, and includes a copy of the source-code with limit access rights. More details on the licensing of SCIM for Keycloak can be found here. 

 

SCIM for Keycloak with SAS Viya

 

For this post, I will assume that you already have your users and groups within your Keycloak instance. This could be from linking to your Active Directory or LDAP server, or it could even be by using the SCIM for Keycloak SCIM server functionality. Here we will just focus on the SCIM client functionality of SCIM for Keycloak. This will enable you to provision users and groups from Keycloak to SAS Viya.

 

SCIM for Keycloak has less restrictions on the network connectivity to SAS Viya than the cloud-based SCIM clients such as Microsoft Entra ID. Since you will be deciding where to run Keycloak you will have greater control over the network route taken between Keycloak and your SAS Viya environment. Also, within the SCIM for Keycloak SCIM client configuration it is possible to upload a TLS certificate to establish the HTTPS connection to SAS Viya. This means that SAS Viya does not need to use a commercial TLS certificate signed by a publicly recognised Certificate Authority.

 

Once you have configured SAS Viya for SCIM provisioning following the documentation, it is relatively straightforward to configure Keycloak. You just need to complete the following:

 

    1. From the Keycloak home page select SCIM Administration Console

        01_SR_keycloak01-homepage.png 

      Select any image to see a larger version.
      Mobile users: To view the images, select the "Full" version at the bottom of the page.


       
      1. Select Start Login
      2. Log in with a Keycloak adminstrator
      3. Select Remote SCIM Provider
        02_SR_keycloak03-SCIMClientOverview.png
         
      4. Select the plus sign against Actions
        1. Enter SAS Viya as Name
          03_SR_keycloak03-SCIMClientConfiguration1.png
           
        2. Enter the URL to your SAS Viya environment with identities/scim/v2 appended as Base URL, for example https://sasviya.com/identities/scim/v2
          04_SR_keycloak03-SCIMClientConfiguration2a.png
           
        3. Select Long Life Bearer Token Authentication as Authentication Type
          05_SR_keycloak03-SCIMClientConfiguration3.png
           
        4. Enter the long-lived access token you generated as part of the SAS Viya configuration as Bearer Token
        5. Select Add
        6. Select Save Configuration
      5. Select Load Provider Configuration
        1. Select Yes, this will connect to SAS Viya and load the configuration from the Identities microservice. Additional tabs will become available at the top of the page, and you will be taken to the Schemas tab.
      6. Select the Realm Assignments tab
        1. Select Assign to Realm against the Keycloak Realm you have configured containing your users and groups
          06_SR_keycloak05-SCIMClientRealmAssignment.png
           
      7. Select Synchronization tab
        1. On the User Synchronization sub-tab scroll down and select Count local and remote resources, you should see the number of users defined in Keycloak as the local users and any users in SAS Viya as remote users
        2. Select Synchronize above resource range, you should see the message Synchronization has finished, all users were processed. The results of the synchronization can be seen in the tables below
        3. Scroll down and review the messages generated by user synchronization. You should see details of the users who were synchronized to SAS Viya.
        4. Scroll up and select the Group Synchronization sub-tab
        5. Scroll down and select Count local and remote resources, you should see the number of groups defined in Keycloak as the local groups and any groups in SAS Viya as remote groups
        6. Select Synchronize above resource range, you should see the message Synchronization has finished, all users were processed. The results of the synchronization can be seen in the tables below
        7. Scroll down and review the messages generated by group synchronization. You should see details of the groups that were synchronized to SAS Viya.
        8. Scroll back up and change the drop down box to Update Group Members and change the starting range to 1
        9. Scoll down and select Synchronize above resource range, you should see the message Synchronization has finished, all users were processed. The results of the synchronization can be seen in the tables below
      8. At the top of the window select admin and select Sign Out

Unlike SCIM provision from Microsoft Entra ID where each provisioning job is submitted to a Microsoft controlled schedule in the background the Keycloak provision is instant.

 

It is worth noting that in my setup, I'm using manually created internal users to Keycloak. In most real-word scenarios, users are brought in automatically from an external provider into Keycloak. As such in my setup, group membership information was not initially provisioned into SAS Viya. There was a very simple and quick solution to get the group membership information. All I needed to do was go into the regular Keycloak admin console and simply remove the members from the group and then re-add them. This immediately caused SCIM for Keycloak to send the patch update to SAS Viya and my group membership information was then available.

 

Conclusion

 

Here we have shown how Keycloak can be used as a SCIM provider with your SAS Viya environment. While the functionality is not built-in to the standard Keycloak release it is possible to licence SCIM for Keycloak to add the SCIM functionality to Keycloak. SCIM for Keycloak then provides both a SCIM Server and SCIM Client implementation. The SCIM client implementation is what we use to provision users and groups from Keycloak into SAS Viya.

 

 

Find more articles from SAS Global Enablement and Learning here.

 

Comments
JuanS_OCS
‎12-03-2024 04:33 AM
‎12-03-2024 04:33 AM

Nice one, and thanks @StuartRogers , as I saw more and more folks asking for the integration with Keycloak.

Appreciated!

0 Likes
Version history
Last update:
‎12-03-2024 02:42 AM
Updated by:
SAS Employee
Contributors

sas-innovate-white.png

Our biggest data and AI event of the year.

Don’t miss the livestream kicking off May 7. It’s free. It’s easy. And it’s the best seat in the house.

Join us virtually with our complimentary SAS Innovate Digital Pass. Watch live or on-demand in multiple languages, with translations available to help you get the most out of every session.

 

Register now!

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags