Migration to 1.31+
Changed Keycloak environment variables
-
KEYCLOAK_HA_CACHE_STACK no longer supports value 'none'. Just use one of 'udp', 'tcp' or 'kubernetes' even for single instance setups.
-
Introduced NEXEED_MACMA_KEYCLOAK_DB_URL environment variable to configure the database URL for the Keycloak database. In a helm deployment this variable is automatically filled by the utility toolkit.
-
If NEXEED_MACMA_KEYCLOAK_DB_URL is not provided the connection string is constructed with the legacy variables DB_ADDR, DB_PORT, DB_DATABASE and JDBC_PARAMS.
-
Nested Groups mapping with Entra ID Identity Provider
This feature is available only for new Entra ID Identity Providers created in macma 1.31+. Already existing Entra ID Identity Providers need to be recreated for this feature to take effect.
Additional configurations are needed in the Azure application for this feature to work:
-
login_hintclaim must be configured for the ID Token -
GroupMember.Read.AllandUser.Readdelegated permissions must be granted to the application-
Internally we call the
/me/transitiveMemberOf/microsoft.graph.group?$select=endpoint to get all groups of a user -
User.Readpermission is required for the API call/me/transitiveMemberOf -
GroupMember.Read.Allpermission is required to read the transitive groups/me/transitiveMemberOf/microsoft.graph.group?$select=
-
Make sure the url configured in NEXEED_MACMA_KEYCLOAK_MICROSOFT_GRAPH_API_BASE_URL is reachable from the keycloak pod.
Also, the proxy environment variables for outgoing requests need to be properly configured in Keycloak: HTTP_PROXY, HTTPS_PROXY, NO_PROXY (see macma/macma-keycloak-mssql Configuration for more information).
For more details please refer to the user manual.