The user data service implemented in Project-Id 5841 will be further developed. PTA supports the customer in adapting the service to changed requirements. Basically, users are maintained in the SIAM application. However, not all attributes required for the allocation of authorisations in applications can be maintained there. SIAM informs the user data service of all changes to the user data via the message broker Solace. These are partially automatically enriched via firmly defined rules.
Further data is entered manually via a web application. Users log on via the identity provider Keycloak, with the actual authentication via SSO being carried out by SIAM. Keycloak returns a token (JWT) with the user's attributes after successful login. Part of the user attributes consists of lists of values, which Keycloak cannot store due to their size. For this purpose, PTA is developing an extension to Keycloak that retrieves the data from the user data service and stores it in the token.
The existing concept of roles and groups in SIAM is not sufficient for the allocation of user authorisations, as the authorisations must in part be allocated down to the level of data such as product groups or countries.