Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak being able to handle 1000+ identity providers in a realm #21071

Open
3 of 9 tasks
mposolda opened this issue Jun 19, 2023 · 8 comments
Open
3 of 9 tasks

Keycloak being able to handle 1000+ identity providers in a realm #21071

mposolda opened this issue Jun 19, 2023 · 8 comments
Labels
kind/epic team/core-iam

Comments

@mposolda
Copy link
Contributor

mposolda commented Jun 19, 2023
edited

Description

This includes various tasks needed for Keycloak to be able to handle 1000+ identity providers in a realm (might be even 10k or more).

Discussion

#21076

Report from the community users about the issues with 4000 identity providers in a realm: https://issues.redhat.com/browse/KEYCLOAK-17860

Issues

Tasks
Beta Give feedback
  1. Add possibility to limit field length in legacy event store #14888
    area/storage kind/bug team/store
    vramik
  2. Doublecheck dataset in keycloak-benchmark can be used to add thousands of identity providers in a realm keycloak-benchmark#382
  3. Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings" #21072
    kind/enhancement status/triage
  4. Authentication flow screens in admin console with many identity providers #27053
    area/identity-brokering kind/enhancement kind/performance status/triage
  5. Identity providers: pagination in admin REST API #21073
    kind/enhancement
    rmartinc
  6. Identity providers: pagination in model #21954
    kind/task
    aelkz
  7. Identity providers: pagination in admin console #21074
    kind/enhancement release/24.0.0
  8. Identity providers: Pagination in account console (and account REST API) #21261
    kind/enhancement status/triage
  9. Do we need to handle 1000+ identity providers on login page? #21075
    kind/enhancement status/triage

Relevant Open PRs

Motivation

No response
@mposolda mposolda mentioned this issue Jun 19, 2023
Open
@bonnm
Copy link

bonnm commented Jun 20, 2023

Hi,
Just a comment to the area of handling thousands of IdPs: Automated import/processing of IdPs from a SAML federation would also be a nice feature. There already was a discussion about this: #8608, and there is a fork https://github.com/eosc-kc/keycloak which works with 1000+ federated SAML-IdPs. Maybe it is worth to have a look at it.

@cgeorgilakis
Copy link
Contributor

I believe also account console with many IdPs issue must be added to this epic.
Without fixing it, linked-accounts page will be unresponsible and user can not link his IdPs (accounts).

There is a PR for resolving this issue. Could you review it?

@cgeorgilakis
Copy link
Contributor

Hi, Just a comment to the area of handling thousands of IdPs: Automated import/processing of IdPs from a SAML federation would also be a nice feature. There already was a discussion about this: #8608, and there is a fork https://github.com/eosc-kc/keycloak which works with 1000+ federated SAML-IdPs. Maybe it is worth to have a look at it.

We have implemented the SAML Federation and we could discuss in a github discussion/ github issue. SAML federation is based in supporting section 2.3.1 of Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 and it gives a way to manage 1000+ SAML IdPs - like in our use case. SAML federation support needs all that mentioned in this epic.

I propose add SAML federation as an issue in this epic and discuss details in github discussion.

@rmartinc
Copy link
Contributor

rmartinc commented Jul 5, 2023

Starting looking at this one. I think that the steps to make this happen are more or less the following:

  • Create a new API to manage the providers. API should contain basic CRUD and a search/list with pagination enabled.
  • Change the UIs (admin, login page,...) to manage the new endpoints and not the list in the realm. This step will probably be translated into different issues.
  • Remove/deprecate the list in the realm (avoid loading all of them in the realm representation).
  • Subsequent enhancements (like import, sync or other things that are commented in the different discussions...). Those can be managed as separated issues as we have the base to cover thousands of providers.

The first step is always having the new endpoints to manage the providers. I think that #21072 is the one to cover that point and the starting point. So I'm starting thinking about this. I will present a skeleton to see what everybody thinks about it.

@jonkoops
Copy link
Contributor

jonkoops commented Jul 5, 2023

@rmartinc if we're building new APIs I'd really like to get started on a proper v2 endpoint with proper Open API annotations.

@rmartinc
Copy link
Contributor

rmartinc commented Jul 5, 2023

@jonkoops I'm starting to look what we have now and how far we are from the goal. Probably we are almost there and we don't need a lot of things, making v2 not really worthy. We have openapi annotations now, so we will use them for sure not matter what we decide.

My idea is presenting a skeleton first so you and everybody can scold me. 😄

@jonkoops
Copy link
Contributor

jonkoops commented Jul 5, 2023

Hahah, sounds fair! Let me know when I can pitch in.

@rmartinc
Copy link
Contributor

rmartinc commented Jul 6, 2023
edited

@jonkoops and anyone interested, I updated #21072 with the rest API changes (as expected they are minimal).

@mposolda mposolda mentioned this issue Jul 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/epic team/core-iam
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jonkoops @mposolda @stianst @rmartinc @cgeorgilakis @bonnm