Short description:

To cover the requirements for authorization assignment, a central service is being developed that adds specific data to the authorization-relevant data returned when a user logs on. Users are logged in via the identity provider Keycloak. PTA supports the customer in implementing the backend service for managing the data. For the enrichment of the user data, PTA implements extensions for the Keycloak identity provider.


In principle, users are maintained in the SIAM application. However, not all attributes required for assigning authorizations in applications can be maintained there. SIAM notifies the user data service of all changes to the user data via the Solace message broker. These are partially enriched automatically via predefined rules. Additional data is entered manually via a web application. Users are logged in via the identity provider Keycloak, with the actual authentication via SSO being performed by SIAM. Keycloak returns a token (JWT) with the user's attributes after successful login. A part of the user attributes consists of lists of values, which Keycloak cannot store due to their size. For this purpose, PTA develops an extension to Keycloak that retrieves the data from the user data service and stores it in the token.

Technical description:

The existing concept of roles and groups in SIAM is not sufficient for the assignment of user authorizations, since authorizations must sometimes be assigned down to the level of data such as material groups or countries.