<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 30/12/15 18:42, Mahantesh Prasad
Katti wrote:<br>
</div>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:856890120;
mso-list-type:hybrid;
mso-list-template-ids:-1663537090 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In our application, we integrate with
Microsoft AD for authenticating users. As part of the
authentication result, we also fetch group information for the
user authenticated. We also have a pre-defined group-role
mapping defined in the application server [This is a JEE
configuration file]. This helps decide whether a particular
user based on the role he belongs to can access a resource or
not. I read another thread “<a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html">Apply
group membership filter on ldap login </a>” on similar
lines. Couple of clarifications.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Based on what I read there is no
feature to get roles and map them to specific roles in
keycloak and would be available in a future release. I just
wanted to understand if my reading of this is on the right
lines. Also, wanted to know if there’s a workaround for this
in the short term.</p>
</div>
</blockquote>
The feature to get LDAP roles and map them to specific roles in
Keycloak is available. We have LDAP Role Mapper (See documentation
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers">http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers</a>
and our ldap example for details).<br>
<br>
The thread "Apply group membership filter on ldap login" is more
about restricting that some LDAP users are not able to login at all
(For example, specify that just users, which are members of LDAP
group "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and
all the other users are filtered). This will be available from 1.8
release (it's in master already).<br>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<div class="Section1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Also does keycloak provide fine
grained access control on the lines of apache shiro?</p>
</div>
</blockquote>
Keycloak provides SSO and authentication. Once you authenticate,
your application will receive access token with the roles of user
from Keycloak (We have stuff like scope, protocol mappers etc, which
allows better control under what exactly will go to access token.
See docs and examples for details).<br>
<br>
Then it's up to the application how it interprets roles from
accessToken . The authorization needs to be actually done by
application itself (unless it's JEE application where we have
mapping of accessToken roles to JEE roles. Again see examples). We
have separate subproject under development (no official release yet
available), which will allow more authorization possibilities.<br>
<br>
Marek<br>
<br>
<br>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<div class="Section1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Prasad<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>