[keycloak-user] Relationship of Groups to Roles?

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Fri Dec 11 06:57:39 EST 2015 

On Dec 11, 2015 6:48 AM, "Marek Posolda" <
> I am starting on adding LDAP Group Mapper to Keycloak and it will be
(hopefully) available in 1.8. Mapper will allow you to specify in which DN
are your groups and in which DN(s) are your roles (LDAP RoleMapper is
already available, but I am planning some changes to 1.8, but it should
remain backwards compatible).

Very nice, but this is so a legacy application can use keycloak via ldap.
It would be great if an application that only knows how to speak ldap could
use keycloak for authorization information. You can tell the app to look at
my virtual directory which in turn would make the web services calls. If I
use an http/2 implementation it would scale well too.

>
> So for your LDAP tree example, if you configure mappers like:
> - Group Mapper: ou=groups,ou=keycloak
> - Role Mappper for realm roles: ou=roles,ou=keycloak
> - Role Mapper for client roles of client "app1":
ou=app1,ou=roles,ou=keycloak
>
> you will be able to map the environment. And you don't need to care about
the names of roles, groups etc. because:
> - LDAP group "cn=MyGroup,ou=groups,ou=keycloak" will be automatically
treated as Keycloak group
> - LDAP group "cn=myrole,ou=users,ou=keycloak" will be treated as Keycloak
realm role
> - LDAP group "cn=anAppSpecificRole,cn=app1,ou=roles,ou=keycloak" will be
treated as client role of "app1" client
>
> The Role Mapper is already available, so you can already try it out with
1.7.
>
> Marek
>
>>
>> Am I on the right track?  I've got Keycloak up and running so I'll
>> play around with the apis too but didn't want to do that in a vacuum.
>>
>> Thanks
>>
>>
>>> On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
>>>>
>>>> I'm trying to wrap my head around the use cases where each would be
>>>> used.  If I understand it correctly, a role a unit of authorization.
>>>> Roles can have entitlements, either defined by Keycloak or an
>>>> application.  A role can have other roles as members.  It can also
>>>> have groups and individual users.  Groups aren't directly linked to
>>>> entitlements, but are instead used to simply create a way to create a
>>>> set of users (and groups).  Is this an accurate representation?
>>>>
>>>> I ask because I want to build some integrations between OpenUnison and
>>>> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
>>>> users, groups and users.  Beyond SSO integration between OpenUnison
>>>> and Keycloak, I'm looking at creating a provisioning target so
>>>> OpenUnison workflows can provision access to Keycloak roles  as well
>>>> as an insert for MyVirtualDirectory that can represent Keycloak roles
>>>> and users as LDAP Objects for legacy applications.
>>>>
>>>> Thanks
>>>>
>>>>
>>>> Marc Boorshtein
>>>> CTO Tremolo Security
>>>> marc.boorshtein at tremolosecurity.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/222e4ea4/attachment-0001.html

More information about the keycloak-user mailing list