Re: [keycloak-user] group mapper per client

Hello everyone, So, thankfully, after some careful reading, I managed to solve the first issue regarding clientSession.client.clientId, which in fact shoud be authenticationSession.client.clientId (there was a mention on using loginSession.client.clientId in place of clientSession.client.clientId on this link https://issues.jboss.org/browse/KEYCLOAK-4505, which I tried to use, without success). Regards, Ronald -----Original Message----- From: Ronald Demneri Sent: 30.Oct.2018 3:48 PM To: 'Dmitry Telegin' <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org Subject: RE: [keycloak-user] group mapper per client Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". Looking forward to hearing from you! Regards, Ronald -----Original Message----- From: Dmitry Telegin <dt(a)acutus.pro&gt; Sent: 30.Oct.2018 4:07 AM To: Ronald Demneri <ronald.demneri(a)amdtia.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] group mapper per client Hello Ronald, If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. <security-constraint> in web.xml); - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: