I'm new to keycloak and LDAP SSO. When i'm trying to using user federation ldap to keycloak.
I created an organization (ex.org) and some inheritance groups (ex.sales, develop) and its posixGroup.
Now I want these ldap groups(org, sales, develop) synchronize to keycloak group preserving group inheritance.
I tried below to sync LDAP To Keycloak, but the group is imported without inheritance:
Does anyone know how to do correctly do that? I just want to import Group with User.
If you are a master of this, plz let me know how to import users in Group maintaining
Related
We have a system that utilizes different tenants, where users can be part of one or multiple tenants. You can imagine it as one application, where users can switch between the tenants and see assets related to the selected tenantId.
Our exernal KeyCloak adviser proposes to use one realm und reflect different tenants as clients in KeyCloak.
I´ve read on different sources, that it is not adviced to use multi tenancy with one realm, though i am not 100% sure if it applies for our usecase.
Additionaly we will need to have different groups on the same user, depending on the tenantId.
For example a user could have Group A and B on tenant 1 but only Group B on tenant 2. This doesnt seem to be possible out of box with KeyCloak.
Which general approach would you suggest?
Scenerio :
Use Groups for multi tenancy (One user working for different organizations) -
Create one group for each org like group_org1, group_org2 etc.
Provide permissions to above groups using group policy (using confidential client authorization tab). Ex :- group_org1 has permission on resource1 and group_org2 has permission on resource2.
Assign above groups to a user , hence user will have 2 groups and, permission on resource1 & resource1.
Now groups fetched for this user will be used as organizations in application.
When selected org1 then application will work according to the permissions attached to group org1 i.e. permission only on resource1.
Question :
As of now if I try to fetch authorization permissions for a user then keycloak will give me combined permissions attached to both the groups i.e. on resource1 and resource2 . I need to fetch permissions attached to single group using keycloak rest-api. (after fetching this specific permissions I can authorize user in the application for given resource)
Hope I made my question a bit clear.
We are working with keycloak, In our application, we have different organizations and we created different realms for each organization in keycloak too.
Our requirement is each realm admin need to manage their users and roles (create the user and assign roles etc), but role creation should be restricted. Is there any possible solution to do this?
Please let know the answers to flowing questions,
1 Is there any possibility to inherit/share/copy the User Federation from the Master realm to any other? if not then what is the best practice to handle these types of requirements.
2 Is any options to disable some administration for realms (for Example, role creation need to block from realms except master)
Please see some similar questions
Inherit/Share User Federation in Keycloak
https://keycloak.discourse.group/t/shared-realms-configuration/3642
Thank you
I need to implement user hierarchy using keycloak and I was wondering if someone has done it before or perhaps can give me some pointers on different ways.
In our scenario we have
single application to protect with open-id connect
1 single super-admin ( realm admin)
many team admins ( created by the super admin ) who can only administer users who belong to the same team as themselves
ordenary users who belong to a given team and created by the team admin
Is there a way to achieve this using keycloak's authorization?
Shall I build a Custom REST endpoint in keycloak to implement this?
Shall I create groups / team perhaps ?
I am not sure what is the easiest route. I would like implement the easiest solution.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?