[keycloak-user] retrieving group membership info from LDAP/AD
Marek Posolda
mposolda at redhat.com
Mon Jan 4 04:46:59 EST 2016
On 30/12/15 18:42, Mahantesh Prasad Katti wrote:
>
> Hi All,
>
> In our application, we integrate with Microsoft AD for authenticating
> users. As part of the authentication result, we also fetch group
> information for the user authenticated. We also have a pre-defined
> group-role mapping defined in the application server [This is a JEE
> configuration file]. This helps decide whether a particular user based
> on the role he belongs to can access a resource or not. I read another
> thread “Apply group membership filter on ldap login
> <http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html>”
> on similar lines. Couple of clarifications.
>
> 1.Based on what I read there is no feature to get roles and map them
> to specific roles in keycloak and would be available in a future
> release. I just wanted to understand if my reading of this is on the
> right lines. Also, wanted to know if there’s a workaround for this in
> the short term.
>
The feature to get LDAP roles and map them to specific roles in Keycloak
is available. We have LDAP Role Mapper (See documentation
http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers
and our ldap example for details).
The thread "Apply group membership filter on ldap login" is more about
restricting that some LDAP users are not able to login at all (For
example, specify that just users, which are members of LDAP group
"cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the
other users are filtered). This will be available from 1.8 release (it's
in master already).
>
> 2.Also does keycloak provide fine grained access control on the lines
> of apache shiro?
>
Keycloak provides SSO and authentication. Once you authenticate, your
application will receive access token with the roles of user from
Keycloak (We have stuff like scope, protocol mappers etc, which allows
better control under what exactly will go to access token. See docs and
examples for details).
Then it's up to the application how it interprets roles from accessToken
. The authorization needs to be actually done by application itself
(unless it's JEE application where we have mapping of accessToken roles
to JEE roles. Again see examples). We have separate subproject under
development (no official release yet available), which will allow more
authorization possibilities.
Marek
> Thanks
>
> Prasad
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/a7688190/attachment.html
More information about the keycloak-user
mailing list