ingress:
  hostname: id.forteapps.net

extraEnvVars:
  - name: KC_FEATURES
    value: "token-exchange:v1,admin-fine-grained-authz:v1"

keycloakConfigCli:
  enabled: true
  extraEnvVars:
    - name: IMPORT_VAR_SUBSTITUTION_ENABLED
      value: "true"
    - name: MS_IDP_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: microsoft-idp-credentials
          key: MS_IDP_CLIENT_SECRET
  configuration:
    microsoft-idp.json: |
      {
        "realm": "forte",
        "authenticationFlows": [
          {
            "alias": "auto-link-first-broker-login",
            "description": "Auto-link IdP accounts to existing users by email",
            "providerId": "basic-flow",
            "topLevel": true,
            "builtIn": false,
            "authenticationExecutions": [
              {
                "authenticator": "idp-create-user-if-unique",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 10
              },
              {
                "authenticator": "idp-auto-link",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 20
              }
            ]
          }
        ],
        "identityProviders": [
          {
            "alias": "forte-entra",
            "displayName": "Forte Entra",
            "providerId": "microsoft",
            "enabled": true,
            "trustEmail": true,
            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
            "config": {
              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
              "defaultScope": "openid email profile",
              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
              "syncMode": "IMPORT"
            }
          },
          {
            "alias": "forte-entra-graph",
            "displayName": "Forte Entra (Graph)",
            "providerId": "microsoft",
            "enabled": true,
            "storeToken": true,
            "trustEmail": true,
            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
            "config": {
              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
              "defaultScope": "openid email profile User.Read Mail.Send",
              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
              "syncMode": "IMPORT"
            }
          }
        ],
        "identityProviderMappers": [
          {
            "name": "forte-entra-email",
            "identityProviderAlias": "forte-entra",
            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
            "config": {
              "syncMode": "INHERIT",
              "attribute": "emailVerified",
              "attribute.value": "true"
            }
          },
          {
            "name": "forte-entra-graph-email",
            "identityProviderAlias": "forte-entra-graph",
            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
            "config": {
              "syncMode": "INHERIT",
              "attribute": "emailVerified",
              "attribute.value": "true"
            }
          }
        ],
        "roles": {
          "realm": [
            {
              "name": "default-roles-forte",
              "composites": {
                "client": {
                  "broker": ["read-token"]
                }
              }
            }
          ]
        }
      }