SavaPage has a RESTful API. Feedback based on real world use is greatly appreciated. So, please tell us what RESTful services you need.
I’m currently working on a setup where Savapage sources its users from an OpenLDAP server and also delegates authentication to Keycloak for a single-sign-on experience.
Both my Savapage and Keycloak instances use the same backing OpenLDAP instance. I also allow new users to register via Keycloak. Once the user verifies their email address a new user record is added to OpenLDAP.
I have set up Keycloak to publish events to a RabbitMQ broker and I’ve also written some middleware to read those events and process user creations/deletions.
What I would like to do now is programmatically tell Savapage to either:
- Sync a new specific user from LDAP; or
- Sync all users from LDAP
Is such funcitonality available from the REST API?
@MetaFight. When you enable “Import new users overnight”, users are automatically synchronized daily at 10 minutes past midnight. In addition you can enable “On demand user creation” to ad-hoc create a user when they successfully login to SavaPage for the first time (“At first login”), or when they print to a SavaPage queue for the first time (“At first print”). It’s all explained in the User Creation section of the User Manual.
I’ve tried the settings you suggest but unfortunately, this doesn’t seem to work. Here’s what happens:
- User navigates to Savapage login page
- User clicks on “login with Keycloak” button
- User is directed to Keycloak page
- User choses to register a new account
- Keycloak asks User to verify their email
- User receives a verification email with a verification link
- User clicks verification link
- Keycloak acknowledges verification, creates local account, and immediately synchronises account with LDAP
- OpenIdConnect Authentication was successful, therefore Keycloak redirects user to Savapage
- Savapage fails to log user in with error message:
Keycloak login failed Try again with another account, or use another method.
However, if I trigger a manual sync with LDAP from the Savapage Admin panel then the login works.
Now I’m wondering if I should remove the link between Savapage and LDAP. Is this necessary now that I have a working SSO setup with Keycloak? Nope, disabling the LDAP User Source doesn’t change anything. I’ll probably just sniff the API call the admin console makes when I manually sync and simulate that.
@MetaFight Please wait before diving too deep. I’m working on a solution to solve your issue right now. Should be ready today/tomorrow. I’ll let you know when its ready for testing.
keycloak.savapage.usersource=true in your
Your latest build, with the changes you mentioned, works like a charm! thank you!
@MetaFight Thanks for your swift confirmation! Issue 1150 is now marked as resolved