Nubus for Kubernetes - Operation Manual 1.x

Federation with external IAM systems

7.1. Federation with external IAM systems#

New in version 1.9.0: Ad hoc provisioning becomes available in Nubus for Kubernetes.

This section describes how to allow user accounts from external IAM systems to sign in to Nubus without having to import their user account first. Nubus for Kubernetes calls this capability ad hoc provisioning and, among others, uses the federation capability in Keycloak. It addresses operators and functional administrators.

To explain ad hoc provisioning, consider this scenario: an external IAM system has user accounts. Nubus federates with this external IAM system, knows it and trusts it. A user signs in to Nubus using this external user account. During the sign-in process, the federated Identity Provider verifies the user’s credentials. Next, the Identity Provider in Nubus automatically creates a corresponding user account for the user. Since this user account didn’t exist in Nubus before, it’s considered ad hoc provisioned.

You can use ad hoc provisioning to avoid a bulk import operation with an external IAM. Instead, the Identity Provider provisions user accounts in the Directory Service in Nubus for Kubernetes as needed. In addition, Keycloak creates a local shadow account in its internal database that points to source account in the external IAM system.

If you want to bulk import user accounts from an external IAM system and keep them synchronized, you need to use the Nubus Directory Importer. For more information, see How-to connect to external IAM.

For all the necessary steps, you need access to the Keycloak Admin Console in your Nubus installation. To enter the Keycloak Admin Console, you need the following information:

User account

with the appropriate user rights to sign in to the Keycloak Admin Console. All user accounts that are member of the Domain Admins user group have the appropriate user rights.

URL

Use the scheme: https://id.$(global.domain)/admin. The value in global.domain completes the FQDN of the URL.

Example:

https://id.nubus.example.com/admin, where nubus.example.com is the value in global.domain.

To set up ad hoc provisioning in Keycloak, follow the steps described at Federation with external IAM systems.