On the Keycloak website there is a ‘call to action’ that states: Centralized Management - For admins and users
I understand this to mean that Keycloak can manage both Users and Federated Users in a consistent fashion.
What I mean specifically is that if Keycloak is managing user’s on behalf of my application then I don’t need to be concerned if a User Federation was created with: Import Users: Off or Import Users: On.
If I create a User Federation with Import Users: On, register a user via an OIDC Flow and and then make calls to the REST API, for example:
kcadm.sh get users -r development
Output:
[ {
"id" : "018e1577-7b85-4c4d-9701-95793073b0b8",
"createdTimestamp" : 1578440270546,
"username" : "rob.ferguson",
"enabled" : true,
"totp" : false,
"emailVerified" : false,
"firstName" : "Rob",
"lastName" : "Ferguson",
"email" : "rob.ferguson@robferguson.org",
"federationLink" : "b02e5323-0ea4-442c-ba59-5e997d0c5f94",
"attributes" : {
"LDAP_ENTRY_DN" : [ "uid=rob.ferguson,ou=users,dc=flowable,dc=org" ],
"LDAP_ID" : [ "rob.ferguson" ],
"modifyTimestamp" : [ "20200107234014Z" ],
"createTimestamp" : [ "20200107233750Z" ]
},
"disableableCredentialTypes" : [ ],
"requiredActions" : [ ],
"notBefore" : 0,
"access" : {
"manageGroupMembership" : true,
"view" : true,
"mapRoles" : true,
"impersonate" : true,
"manage" : true
}
} ]
However, if I create a User Federation with Import Users: Off, register a user via an OIDC Flow and and then make calls to the REST API, for example:
kcadm.sh get users -r development
Output:
[ ]
Both users were created by Keycloak, but only those where the User Federation has Import Users: On are visible via the REST API or the Administration Console.
However, a Federated User (Import Users: Off) can navigate to the User Account Service:
http://localhost:10001/auth/realms/development/account
And reset their password. But a Keycloak Administrator cannot reset a Federated User’s (Import Users: Off) password via the Administration Console.