Transient sessions: Documentation
Closes: #24278 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
This commit is contained in:
parent
0ceaed0e2e
commit
f557b2c88c
1 changed files with 55 additions and 0 deletions
55
docs/transient-users.md
Normal file
55
docs/transient-users.md
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
<#import "/templates/guide.adoc" as tmpl>
|
||||||
|
<#import "/templates/kc.adoc" as kc>
|
||||||
|
<#import "/templates/links.adoc" as links>
|
||||||
|
|
||||||
|
<@tmpl.guide
|
||||||
|
title="Transient users for brokering support [experimental]"
|
||||||
|
summary="How to configure Keycloak server to not store users from identity providers in the database."
|
||||||
|
includedOptions="">
|
||||||
|
|
||||||
|
When using Keycloak as an identity broker, you can configure the Keycloak server
|
||||||
|
to not create users in its local database when a user authenticates with an external
|
||||||
|
identity provider. This user is called a _transient user_. Transient users are only
|
||||||
|
stored within a specific user session and they cease to exist once that session is removed.
|
||||||
|
|
||||||
|
== Configuring the transient users for a identity provider
|
||||||
|
|
||||||
|
In order to use transient users, you need to enable them in the Keycloak
|
||||||
|
server first by enabling `transient-users` feature.
|
||||||
|
|
||||||
|
<@kc.start parameters="--features=transient-users"/>
|
||||||
|
|
||||||
|
Once the feature is enabled, you can configure the identity provider to use transient users
|
||||||
|
by enabling the `Do Not Store Users` option in the respective identity provider configuration.
|
||||||
|
|
||||||
|
== Considerations
|
||||||
|
|
||||||
|
When using transient users, you should be aware of the following:
|
||||||
|
|
||||||
|
- In the Admin Console, transitive users can be only tracked from their
|
||||||
|
respective client session. They cannot be looked up using
|
||||||
|
the Users search because they are not stored
|
||||||
|
in any user store. For the same reason, it is not possible to add additional
|
||||||
|
authentication factors to them.
|
||||||
|
|
||||||
|
- Roles and groups can be assigned to the transient users only by
|
||||||
|
identity provider mappers of the respective identity provider.
|
||||||
|
|
||||||
|
- Since every transient user is created afresh, mappers always
|
||||||
|
work in the `Import` sync mode.
|
||||||
|
|
||||||
|
- It is possible to leverage offline sessions with transient users.
|
||||||
|
To do so, you need to add a role mapper to the identity provider that will assign
|
||||||
|
the `offline_access` role to transient users. Beware that the transient user may then
|
||||||
|
be stored in the Keycloak database until the respective session expires or the token is revoked.
|
||||||
|
Always consider using persistent rather than transient users when offline sessions are
|
||||||
|
needed since persistent users can manage offline tokens more easily
|
||||||
|
by the Account Console. Also, the transient users feature contributes
|
||||||
|
the purpose of not storing any personally identifiable information into the database.
|
||||||
|
Since offline sessions are persisted in database, the transient user data would be stored
|
||||||
|
there as well. It is up to the administrator to determine whether this is acceptable or not.
|
||||||
|
|
||||||
|
- Technically, transient user data is stored as part
|
||||||
|
of the user session. It thus increases the session size.
|
||||||
|
|
||||||
|
</@tmpl.guide>
|
Loading…
Reference in a new issue