#13140 Restore User Synchronization Button and Ensure Proper Keycloak Synchronization Configuration (#13146)

Co-authored-by: Levente Gal <levente.gal.ext@vitagroup.ag>

Author: leventegal-she

docs/SERVER_SETUP.md

@@ -190,9 +190,25 @@ In case Keycloak is set up alongside an already running instance of SORMAS, thes
 3. Login to SORMAS and trigger the **Sync Users** button from the **Users** page
 4. This will sync users to Keycloak keeping their original password - see [SORMAS Keycloak Service Provider](sormas-keycloak-service-provider/README.md) for more information about this
 
+### Synchronization between SORMAS and Keycloak
+
+The synchronization of users between SORMAS and Keycloak is can be done in two ways:
+from SORMAS to Keycloak or from Keycloak to SORMAS depending on how the `AUTH_PROVIDER_TO_SORMAS_USER_SYNC` feature is configured.
+
+By default, the `AUTH_PROVIDER_TO_SORMAS_USER_SYNC` feature is disabled so the synchronization happens from SORMAS to Keycloak.
+An automatic synchronization happens when a user is created/changed/deleted in SORMAS, 
+and there is another way to trigger this manually by an admin on the users page meaning the users are managed in SORMAS.
+
+If the feature is enabled, the synchronization is done from Keycloak to SORMAS.
+In order to make this feature work you also need to configure the `authentication.provider.syncedNewUserRole`configuration property in the `sormas.properties` file 
+to the name of the role that you want to be assigned to the new users coming from Keycloak.
+
+This feature doesn't allow changing the users in SORMAS, except their roles and language, so users will be managed in keycloak.
+The synchronization is done automatically each day at night, or manually by an admin on the users page when needed.
+
 ### Keycloak configuration
 
-More about the default configuration and how to customize can be found here [Keycloak](sormas-base/doc/keycloak.md)
+More about the default configuration and how to customize can be found here [Keycloak](../sormas-base/doc/keycloak.md)
 
 ## Web Server Setup
 

sormas-api/src/main/java/de/symeda/sormas/api/i18n/Strings.java

@@ -1492,6 +1492,7 @@ public interface Strings {
 	String messageSubcontinentsDearchived = "messageSubcontinentsDearchived";
 	String messageSymptomsHint = "messageSymptomsHint";
 	String messageSymptomsVisitHint = "messageSymptomsVisitHint";
+	String messageSyncUsersFromAuthProviderConfigurationError = "messageSyncUsersFromAuthProviderConfigurationError";
 	String messageSystemFollowUpCanceled = "messageSystemFollowUpCanceled";
 	String messageSystemFollowUpCanceledByDropping = "messageSystemFollowUpCanceledByDropping";
 	String messageTaskArchived = "messageTaskArchived";

sormas-api/src/main/resources/strings.properties

@@ -1521,6 +1521,8 @@ messageCustomizableEnumValueSaved = Customizable enum value saved
 messageExternalEmailAttachmentPassword=Please use this password to open the documents sent to you via email from SORMAS: %s
 messageExternalEmailAttachmentNotAvailableInfo=Attaching documents is disabled because encryption would not be possible. To encrypt documents, the person needs to have either a national health ID specified, or a primary mobile phone number set with SMS sending set up on this system.
 messagePersonNationalHealthIdInvalid=The entered national health ID does not seem to be correct
+messageSyncUsersFromAuthProviderConfigurationError=Syncing users from authentication provider is not possible because the configuration is incorrect. Please contact an admin and inform them about this issue.
+
 # Notifications
 notificationCaseClassificationChanged = The classification of case %s has changed to %s.
 notificationCaseInvestigationDone = The investigation of case %s has been done.

sormas-backend/src/main/java/de/symeda/sormas/backend/user/UserFacadeEjb.java

@@ -1096,10 +1096,7 @@ public void syncUsersFromAuthenticationProvider() {
 		UserRight._SYSTEM })
 	public boolean isSyncEnabled() {
 		AuthProvider authProvider = AuthProvider.getProvider(configFacade);
-		return KEYCLOAK.equalsIgnoreCase(authProvider.getName())
-			&& (featureConfigurationFacade.isFeatureDisabled(FeatureType.AUTH_PROVIDER_TO_SORMAS_USER_SYNC)
-				|| StringUtils.isNotBlank(configFacade.getAuthenticationProviderSyncedNewUserRole()));
-
+		return KEYCLOAK.equalsIgnoreCase(authProvider.getName());
 	}
 
 	@Override

sormas-ui/src/main/java/de/symeda/sormas/ui/user/UserController.java

@@ -347,6 +347,12 @@ public void setFlagIcons(ComboBox cbLanguage) {
 
 	public void sync() {
 		if (UiUtil.permitted(FeatureType.AUTH_PROVIDER_TO_SORMAS_USER_SYNC)) {
+			if (StringUtils.isBlank(FacadeProvider.getConfigFacade().getAuthenticationProviderSyncedNewUserRole())) {
+				VaadinUiUtil.showSimplePopupWindow(
+					I18nProperties.getString(Strings.headingSyncUsers),
+					I18nProperties.getString(Strings.messageSyncUsersFromAuthProviderConfigurationError));
+				return;
+			}
 			FacadeProvider.getUserFacade().syncUsersFromAuthenticationProvider();
 			SormasUI.refreshView();
 		} else {