On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: > "What exactly would you need to manage JCR-based controls? I would > imagine that mapping users to JCR groups based on whatever data your > identity solution provides and then creating access based on ACLs > only > would satisfy your request." > > > We need to manage a few things at the identity provider: > 1. User attributes: username, name, email, phone, maybe a few other > pieces of data about the user. > 2. Group membership > > When the user signs in, with SAML2 there is encrypted metadata which > contains that information. Upon sign in, Sling users should be > created, their user attributes updated and the user should be added > or removed from Sling group membership. Once the user has signed in, > then access is granted as usual using JCR-based ACL’s applied for the > groups.
Right, I see that there is no support for that in the keycloak handler, as it was presented [1]. I don't think there is any out-of-the-box support for what you're looking for. I would be happy to guide anyone willing to implement such functionality though. Thanks, Robert [1]: https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
