User data synchronization
Mapping and user data synchronization
What is synchronized
User data synchronization is part of the mapping process. The direction of this synchronization is from Keycloak to Censhare. In this regard, we differentiate between basic user data (such as name, email ID, etc.) and information on user permissions (roles and domains in Censhare terminology). We also differentiate between users that exist in the Censhare system before they try to log in for the first time and users that do not, i.e., users that may already exist in Keycloak, but have never tried to log in to Censhare before. For convenience, we will refer to them as new and existing users.
Depending on these two factors – which information and which user – the synchronization process may behave differently.
Synchronization scopes
Synchronization configuration has two dimensions:
external synchronization vs. “internal” (called “standard”) authentication: it specifies if authentication should happen exclusively within the Censhare system or not, i.e., if Keycloak should be involved or not
for external synchronization, you need to decide how much of the user information authorization mapper should try to match, and if missing or contradictory, copy from Keycloak to the censhare user table.
Your choice will have consequences on how you manage your users, e.g., in which system you can add new users. If you plan to use Keycloak for this, and/or LDAP or other third-party that can only be connected to censhare through Keycloak, then make sure you selected the right synchronization scope.
Below is the comparison table with the terms used for synchronization scopes in the Admin Client UI.
Synchronization scope | Basic info synched | Roles and domains synched | Possible to create new users from Keycloak | ||
|---|---|---|---|---|---|
for existing users | for new users | for existing users | for new users | ||
Don't synchronize | no | no | no | no | no |
Complete synchronization | yes | yes | yes | yes | yes |
Basic synchronization | yes | yes | no | yes | yes |
The implications of selecting each of the scopes are the following.
Don't synchronize
No information should be synched. You will need to manage all user information in the censhare system. If you add anything in Keycloak, this won‘t be synched to censhare. Consequently, a user that only exists in Keycloak won‘t be able to use censhare. However, this option is useful for "protecting" system-critical users, e.g., the default censhare user, from any unexpected edits.
Complete synchronization
will synchronize basic information together with the roles and domains, i.e., Keycloak groups and attributes. It means that, once you configured the mapper correctly, you can add new users and all their information in Keycloak only.
Basic synchronization
Basic synchronization works differently for new and existing users:
For existing users, only basic information (email ID etc.) will be synched. It means that:
Changes in basic information made in Keycloak will be synched to the censhare system.
Assigning attributes and groups in Keycloak will not have any influence on user permissions In Censhare, as this information won‘t be synched. Consequently, such changes need to be done in the Censhare system instead.
For new users, all information will be synched, including roles and domains (based on groups and attributes assigned to them in Keycloak).
Therefore, basic synchronization allows to create new users in Keycloak. Upon their first login, a new user record will be created in the censhare users table, with all necessary information.
Other notes on user data synchronization
Synchronization scope does not have to be the same for all users.
For users, deactivated in Keycloak, no sync will happen and they won‘t be able to log in to Censhare.