configure DataONE realm to federate changes back to account service

[mbjones]

The DataONE account service tracks users and groups, and has our current set of registered ORCID accounts. Configure the federated identity service to write changes to accounts back to the DataONE account service so they are accessible for client inspection in ACLs, etc.

Note the DataONE accounts use non-https ORCID URLs, whereas the current ORCID login sets the username to the ORCID value only (without the URI scheme). So need to resolve these discrepancies, keeping in mind that ACLs use non-http for now. One approach is to use equivalent/mapped identities in Keycloak.

[mbjones]

Apparently, turning on user federation but not enabling username/password logins is not straightforward. See: keycloak/keycloak#31505. There seems to be some mechanism to auto-forward to the ORCID IdP.

[mbjones]

Found a way to automatically redirect to the ORCID identity provider by setting a default for the browser login flow. So this bypasses the login dialogue and goes straight to ORCID when the client URL is accessed.

[mbjones]

Need to switch to using the actual DataONE account LDAP, as well as setting it up to write accounts there.

• Use DataONE LDAP
• Read and write new accounts to DataONE LDAP

[mbjones]

Configured the test service to connect to DataONE LDAP. Had to open up the firewall on cn-sandbox to allow the k8s nodes access to the LDAP port, but otherwise it was straightforward to import the accounts. For now, it is set as READ-ONLY and is only importing accounts from DataONE to keycloak, and not the other direction.