Nubus for Kubernetes - Operation Manual 1.x

Federation with external IAM systems

7.1. Federation with external IAM systems#

New in version 1.9.0: Ad hoc provisioning becomes available in Nubus for Kubernetes.

This section describes how to allow user accounts from external IAM systems to sign in to Nubus without having to import their user account first. Nubus for Kubernetes calls this capability ad hoc provisioning and, among others, uses the federation capability in Keycloak. It addresses operators and functional administrators.

If you only need user accounts that actually use the system, or if you want to save time on the import procedure, or if you don’t care about modifications to user accounts in your external IAM system after the initial import, then this section is for you.

If you want all user accounts from a subtree in an external IAM system in the Directory Service of Nubus for Kubernetes, and also want to regularly transfer user updates from your external IAM system, then continue with the Nubus Directory Importer and Import from external IAM.

To explain ad hoc provisioning, consider this scenario: an external IAM system has user accounts. Nubus federates with this external IAM system, knows it and trusts it. A user signs in to Nubus using this external user account. During the sign-in process, the federated Identity Provider verifies the user’s credentials. Next, the Identity Provider in Nubus automatically creates a corresponding user account for the user. Since this user account didn’t exist in Nubus before, it’s considered ad hoc provisioned.

You can use ad hoc provisioning to avoid a bulk import operation with an external IAM. Instead, the Identity Provider provisions user accounts in the Directory Service in Nubus for Kubernetes as needed. In addition, Keycloak creates a local shadow account in its internal database that points to source account in the external IAM system.

To set up federation with an external IAM system, use the following steps:

  1. For all the necessary steps, you need access to the Keycloak Admin Console in your Nubus installation. For information about how to connect and sign in to the Keyclaok Admin Console, see Keycloak Admin Console.

  2. To set up ad hoc provisioning in Keycloak, follow the steps described at Federation with external IAM systems in Univention Keycloak app manual [5].