fix: dblock for db migration / fix: ejb dist caches

Local/Remote Source Support & User Federation Implementation

.github/workflows/ci.yml

@@ -39,7 +39,6 @@ jobs:
       - name: Run molecule test
         run: molecule test --all
         working-directory: ./ansible_collections/middleware_automation/keycloak
-
         env:
           PY_COLORS: '1'
           ANSIBLE_FORCE_COLOR: '1'

README.md

@@ -31,13 +31,32 @@ collections:
 
 ### Install Playbook
 
-`playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On based on the defined variables.
+`playbooks/keycloak.yml` installs the upstream(Keycloak) based on the defined variables.
+`playbooks/rhsso.yml` installs Red Hat Single Sign-On(RHSSO) based on defined variables.
 
-### Choosing between Red Hat products and upstream project
+### Choosing between upstream(Keycloak) project and Red Hat Single Sign-On(RHSSO)
 
-The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined:
+The roles supports installing upstream(Keycloak) or Red Hat Single Sign-On in the following ways
+
+#### Install upstream(Keycloak) from remote source
+
+This is default approach, there is one required variable
 
 ```
+keycloak_admin_password: "<changeme>"
+```
+
+#### Install upstream(Keycloak) from local source when the following variable is defined
+
+```
+keycloak_admin_password: "<changeme>"
+zip_file_local_path: <keycloak zip file on Ansible control node local path>
+```
+
+#### Install RHSSO from the Red Hat Customer Support Portal, when the following variables are defined
+
+```
+keycloak_admin_password: "<changeme>"
 rhn_username: '<customer_portal_username>'
 rhn_password: '<customer_portal_password>'
 rhsso_rhn_id: '<sso_product_id>'
@@ -45,6 +64,22 @@ rhsso_rhn_id: '<sso_product_id>'
 
 where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_)
 
+#### Install RHSSO from remote sources like Nexus etc, when the following variables are defined
+
+```
+keycloak_admin_password: "<changeme>"
+keycloak_rhsso_enable: True
+rhsso_source_download_url: '<url to download RHSSO zip file>'
+```
+
+#### Install RHSSO from local source when the following variable is defined
+
+```
+keycloak_admin_password: "<changeme>"
+keycloak_rhsso_enable: True
+zip_file_local_path: <rhsso zip file on Ansible control node local path>
+```
+
 ### Install role
 
 * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service. _Requires: python3-netaddr_
@@ -69,18 +104,18 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
 
 ### Config Playbook
 
-`playbooks/keycloak-realm.yml` creates provided realm, client(s), client role(s) and client user(s) if they don't exist.
+`playbooks/keycloak-realm.yml` creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
 
 ### Config role
 
-* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, with clients and users, in an installed service.
+* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
 
 ### Example configuration command
 
 Execute the following command from the source root directory
 
 ```
-ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
+ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
 ```
 
 - `keycloak_admin_password` password for the administration console user account.

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: middleware_automation
 name: keycloak
-version: "0.1.7"
+version: "0.1.8"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

playbooks/keycloak-realm.yml

@@ -8,6 +8,46 @@
       vars:
         keycloak_admin_password: "changeme"
         keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
         keycloak_clients:
           - name: TestClient1
             roles:

playbooks/keycloak.yml

@@ -2,11 +2,9 @@
 - name: Playbook for Keycloak Hosts
   hosts: keycloak
   collections:
-    - middleware_automation.redhat_csp_download
-  roles:
-    - redhat_csp_download
+    - middleware_automation.keycloak
   tasks:
-    - name: Keycloak Role
+    - name: Include keycloak role
       include_role:
         name: keycloak
       vars:

playbooks/rhsso.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: keycloak
+  collections:
+    - middleware_automation.redhat_csp_download
+  roles:
+    - redhat_csp_download
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "changeme"
+        keycloak_rhsso_enable: True

roles/keycloak/README.md

@@ -26,6 +26,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
+|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
@@ -75,20 +76,29 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_user` | username for connecting to postgres | `keycloak-user` |
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
+The following variable can be used to install Keycloak or Red Hat Single Sign-On from local path:
+| Variable | Description | Example |
+|:---------|:------------|:---------|
+|`zip_file_local_path` | Full local path of upstream(Keycloak) or Red Hat Single Sign-On zip file on Ansible control plane | `tmp/rhsso/rh-sso-7.5-server-dist.zip` |
+
+The following variable can be used to install Red Hat Single Sign-On from source via url, auth support is not added right now.
+| Variable | Description | Example |
+|:---------|:------------|:---------|
+|`rhsso_source_download_url` | URL to download Red Hat Single Sign-On zip file from source | `http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip` |
 
 Dependencies
 ------------
 
 The roles depends on:
 
-* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
-* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
+* the redhat_csp_download role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
+* the wildfly_driver role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
 
 
 Example Playbook
 ----------------
 
-The following is an example playbook that makes use of the role to install keycloak
+The following is an example playbook that makes use of the role to install keycloak from remote
 
 ```yaml
 ---
@@ -103,6 +113,75 @@ The following is an example playbook that makes use of the role to install keycl
             keycloak_admin_password: "changeme"
 ```
 
+The following is an example playbook that makes use of the role to install keycloak from local path on Ansible node
+
+```yaml
+---
+- hosts: ...
+      collections:
+        - middleware_automation.keycloak
+      tasks:
+        - name: Include keycloak role
+          include_role:
+            name: keycloak
+          vars:
+            keycloak_admin_password: "changeme"
+            zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip"  # This should be local path on Ansible node of upstream(keycloak) zip file
+```
+
+The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN
+
+```yaml
+---
+- name: Playbook for RHSSO
+  hosts: keycloak
+  collections:
+    - middleware_automation.redhat_csp_download
+  roles:
+    - redhat_csp_download
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "changeme"
+        keycloak_rhsso_enable: True
+```
+
+The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from source url
+
+```yaml
+---
+- hosts: keycloak
+  collections:
+    - middleware_automation.keycloak
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "changeme"
+        keycloak_rhsso_enable: True
+        rhsso_source_download_url: "<REPLACE with - Source download url>" # This should be the full of remote source rhsso zip file
+```
+
+The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path on Ansible node
+
+```yaml
+---
+- hosts: keycloak
+  collections:
+    - middleware_automation.keycloak
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "changeme"
+        keycloak_rhsso_enable: True
+        zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip"  # This should be local path on Ansible node of rhsso zip file
+```
+
 License
 -------
 
@@ -114,3 +193,4 @@ Author Information
 
 * [Guido Grazioli](https://github.com/guidograzioli)
 * [Romain Pelisse](https://github.com/rpelisse)
+* [Pavan Kumar Motaparthi](https://github.com/motaparthipavankumar)

roles/keycloak/defaults/main.yml

@@ -7,7 +7,7 @@ keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_vers
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 
 ### Configuration specific to Red Hat Single Sing-On
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
+keycloak_rhsso_enable: False
 keycloak_rhsso_version: 7.5
 keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
 keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
@@ -16,7 +16,7 @@ keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/soft
 ### Install location and service settings
 jvm_package: java-1.8.0-openjdk-devel
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 
 keycloak_config_standalone_xml: "keycloak.xml"

roles/keycloak/tasks/firewalld.yml

@@ -12,7 +12,7 @@
     enabled: yes
     state: started
 
-- name: Configure firewall for jdg ports
+- name: Configure firewall for keycloak ports
   become: yes
   firewalld:
     port: "{{ item }}"
@@ -24,4 +24,5 @@
     - "{{ keycloak_https_port }}/tcp"
     - "{{ keycloak_management_http_port }}/tcp"
     - "{{ keycloak_management_https_port }}/tcp"
+    - "7600/tcp"
     - "8009/tcp"

roles/keycloak/tasks/get_rhsso.yml

@@ -2,20 +2,20 @@
 - assert:
     that:
       - zipfile_dest is defined
-      - rhn_id_file is defined
-      - rhn_username is defined
-      - rhn_password is defined
+      - keycloak_rhsso_enable
     quiet: true
 
 - set_fact:
-    rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}"
+    rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhsso_rhn_id }}"
+  when:
+    - rhsso_rhn_id is defined
 
 - name: "Check zipfile dest directory {{ zipfile_dest }}"
   stat:
     path: "{{ zipfile_dest }}"
   register: archive_path
 
-- name: "Install zipfile from RHN: {{ rhn_download_url }}"
+- name: "Download zipfile from RHN: {{ rhn_download_url }}"
   redhat_csp_download:
     url: "{{ rhn_download_url }}"
     dest: "{{ zipfile_dest }}"
@@ -26,11 +26,40 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
+    - rhn_username is defined
+    - rhn_password is defined
+    - rhsso_rhn_id is defined
+
+- name: "Copy zipfile from source like Nexus etc : {{ rhsso_source_download_url }}"
+  get_url:
+    url: "{{ rhsso_source_download_url }}"
+    dest: "{{ zipfile_dest }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - rhsso_source_download_url is defined
+
+- name: "Copy zipfile from local source: {{ zip_file_local_path }}"
+  ansible.builtin.copy:
+    src: "{{ zip_file_local_path }}"
+    dest: "{{ zipfile_dest }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - zip_file_local_path is defined
     
 - name: "Check zipfile dest directory {{ zipfile_dest }}"
   stat:
     path: "{{ zipfile_dest }}"
-  register: path_to_downloaded_artefact
+  register: path_to_downloaded_artifact
 
 - block:
     - file:
@@ -68,8 +97,8 @@
       when:
         - target_dir_state.stat.exists
   when:
-    - path_to_downloaded_artefact is defined
-    - path_to_downloaded_artefact.stat is defined
-    - path_to_downloaded_artefact.stat.exists
+    - path_to_downloaded_artifact is defined
+    - path_to_downloaded_artifact.stat is defined
+    - path_to_downloaded_artifact.stat.exists
     - target_dir is defined
     - work_dir is defined

roles/keycloak/tasks/install.yml

@@ -74,6 +74,20 @@
         - archive_path is defined
         - archive_path.stat is defined
         - not archive_path.stat.exists
+        - not keycloak_rhsso_enable and not zip_file_local_path is defined
+
+    - name: "Copy zipfile from local source: {{ zip_file_local_path }}"
+      ansible.builtin.copy:
+        src: "{{ zip_file_local_path }}"
+        dest: "{{ keycloak_dest }}"
+        owner: "{{ keycloak_service_user }}"
+        group: "{{ keycloak_service_group }}"
+        mode: 0750
+      when:
+        - archive_path is defined
+        - archive_path.stat is defined
+        - not archive_path.stat.exists
+        - not keycloak_rhsso_enable and zip_file_local_path is defined
 
     - name: extract Keycloak archive on target
       unarchive:
@@ -91,9 +105,9 @@
 - block:
     - assert:
         that:
-          - rhsso_rhn_id is defined
+          - rhsso_rhn_id is defined or zip_file_local_path is defined
         quiet: true
-        fail_msg: "Can't install RHSSO without RHN ID."
+        fail_msg: "Can't install RHSSO without either RHN ID or RHSSO zip file located on Ansible node"
 
     - name: create download directory
       file:
@@ -103,9 +117,8 @@
         group: "{{ keycloak_service_group }}"
         mode: 0750
 
-    - include_tasks: download_from_rhn.yml
+    - include_tasks: get_rhsso.yml
       vars:
-        rhn_id_file: "{{ rhsso_rhn_id }}"
         zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}"
         work_dir: "{{ keycloak_dest }}"
         target_dir: "{{ keycloak_jboss_home }}"

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -206,11 +206,11 @@
             <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
-            <session-bean>
+             <session-bean>
                 <stateless>
                     <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
                 </stateless>
-                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
                 <singleton default-access-timeout="5000"/>
             </session-bean>
             <pools>
@@ -368,12 +368,13 @@
         </subsystem>
         <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
         <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
-                <local-cache name="passivation">
+            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <transport lock-timeout="60000"/>
+                <distributed-cache name="dist">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
+                    <file-store/>
+                </distributed-cache>
             </cache-container>
             <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
                 <transport lock-timeout="60000"/>
@@ -383,8 +384,7 @@
                 <local-cache name="users">
                     <heap-memory size="10000"/>
                 </local-cache>
-                <local-cache name="authenticationSessions"/>
-{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
+{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens", "authenticationSessions" ] %}
                 <distributed-cache name="{{ cachename }}">
                     <remote-store cache="{{ cachename }}"
                                   remote-servers="remote-cache"
@@ -440,33 +440,37 @@
                     <expiration max-idle="3600000"/>
                 </local-cache>
             </cache-container>
-            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
-                <local-cache name="default">
+            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="default">
                     <transaction mode="BATCH"/>
-                </local-cache>
+                </replicated-cache>
             </cache-container>
-            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
-                <local-cache name="passivation">
+            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="sso">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-                <local-cache name="sso">
+                </replicated-cache>
+                <distributed-cache name="dist">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                </local-cache>
-                <local-cache name="routing"/>
+                    <file-store/>
+                </distributed-cache>
+                <distributed-cache name="routing"/>
             </cache-container>
             <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
-                <local-cache name="entity">
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
+                <transport lock-timeout="60000"/>
                 <local-cache name="local-query">
                     <heap-memory size="10000"/>
                     <expiration max-idle="100000"/>
                 </local-cache>
-                <local-cache name="timestamps"/>
+                <invalidation-cache name="entity">
+                    <transaction mode="NON_XA"/>
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </invalidation-cache>
+                <replicated-cache name="timestamps"/>
             </cache-container>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:io:3.0">
@@ -547,6 +551,15 @@
                 <cacheTemplates>true</cacheTemplates>
                 <dir>${jboss.home.dir}/themes</dir>
             </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
             <spi name="eventsStore">
                 <provider name="jpa" enabled="true">
                     <properties>

roles/keycloak/templates/standalone.xml.j2

@@ -446,6 +446,15 @@
                 <cacheTemplates>true</cacheTemplates>
                 <dir>${jboss.home.dir}/themes</dir>
             </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
             <spi name="eventsStore">
                 <provider name="jpa" enabled="true">
                     <properties>

roles/keycloak_realm/README.md

@@ -14,6 +14,8 @@ Role Defaults
 |`keycloak_http_port` | HTTP port | `8080` |
 |`keycloak_https_port` | TLS HTTP port | `8443` |
 |`keycloak_auth_realm` | Name of the main authentication realm | `master` |
+|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
+
 
 
 Role Variables
@@ -35,10 +37,29 @@ The following variables are available for creating clients:
 |`keycloak_client_default_roles` | List of default role name for clients | `[]` |
 |`keycloak_client_users` | List of user/role mappings for a client | `[]` |
 
+The following variable are available for creating user federation:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
+
 
 Variable formats
 ----------------
 
+* `keycloak_user_federation`, a list of:
+
+```yaml
+    - realm:  <name of the realm in which user federation should be configured, required>
+      name: <name of the user federation provider, required>
+      provider_id: <Type of the user federation provider, required>
+      provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
+      config: <Dictionary of supported configuration values, required>
+      mappers: <List of supported configuration values, required>
+```
+
+Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
+
 * `keycloak_clients`, a list of:
 
 ```yaml
@@ -71,7 +92,6 @@ Variable formats
 
 For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
 
-
 Example Playbook
 ----------------
 

roles/keycloak_realm/defaults/main.yml

@@ -9,6 +9,9 @@ keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
+### List of Keycloak User Federation
+keycloak_user_federation: []
+
 ### Keycloak realm client defaults
 # list of clients to create in the realm
 #

roles/keycloak_realm/tasks/main.yml

@@ -34,6 +34,24 @@
     status_code: 201
   when: keycloak_realm_exists.status == 404
 
+- name: Create user federation
+  community.general.keycloak_user_federation:
+    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_realm: "{{ keycloak_auth_realm }}"
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ item.realm }}"
+    name: "{{ item.name }}"
+    state: present
+    provider_id: "{{ item.provider_id }}"
+    provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" 
+    config: "{{ item.config }}"
+    mappers: "{{ item.mappers | default(omit) }}"
+  register: create_user_federation_result
+  loop: "{{ keycloak_user_federation | flatten }}"
+  when: keycloak_user_federation is defined
+
+
 - name: Create Client
   community.general.keycloak_client:
     auth_client_id: "{{ keycloak_auth_client }}"

roles/keycloak_realm/vars/main.yml

@@ -13,4 +13,4 @@ keycloak_clients:
 # other settings
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
+keycloak_rhsso_enable: False