Skip to content

sovity's implementation of the DAPS (Dynamic Attribute Provisioning Service) based on the Keycloak IAM platform.

License

Notifications You must be signed in to change notification settings

sovity/sovity-daps

sovity Logo

sovity DAPS

sovity's implementation of the Dynamic Attribute Provisioning Service based on the Keycloak IAM platform.

Table of Contents

Getting Started

There is an example deployment using Docker Compose, which will automatically build everything on startup. To use it, copy the file .env.example to .env and assign secure secrets, as described in the file. This setup uses PostgreSQL; however, any database supported by Keycloak can be used.

The setup is configured for a local deployment using plaintext HTTP on port 8080. For a production environment behind a TLS-terminating reverse proxy, the following environment variable adjustments are needed:

  • KC_PROXY=edge
  • KC_HOSTNAME=keycloak.example.com

Additionally, the start-dev command should be removed from the docker-compose.yml.

Further configuration options can be found in the official Keycloak documentation.

Realm Configuration

For least friction, it is recommended to create a separate realm, commonly named "DAPS". In this new realm, several modifications to pre-existing global defaults need to be made:

  • Change all pre-existing client scopes to type "None"
  • Create a new client scope of type "Optional" with name idsc:IDS_CONNECTOR_ATTRIBUTES_ALL

If you want to use any service accounts to automate configuration management, it is best to create them before this point. If you do it later, you will need to manually reassign at least the roles scope to any such clients.

Managing Participants

Participants are represented as Keycloak service accounts. These should have the "DAT Mapper", a custom protocol mapper implemented in this project, configured and assigned to them.

For simple management, it is recommended to use our Authority Portal project.

License

Copyright 2024 sovity GmbH

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.