[keycloak-user] group mapper per client
Ronald Demneri
ronald.demneri at amdtia.com
Tue Oct 30 10:44:02 EDT 2018
Hello Dmitry,
Thanks for the advice. I'm trying to use something like in this post http://lists.jboss.org/pipermail/keycloak-user/2017-February/009713.html, but Keycloak throws an error regarding clientSession.client.clientId as follows:
2018-10-30 12:53:32,421 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-1003) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'script_check_groups' problem was: TypeError: Cannot read property "clientId" from undefined in <eval> at line number 30
What do I need to use not to receive this error and have the gn variable compare to the clientId?
Thanks in advance,
Ronald
-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro>
Sent: 30.Oct.2018 4:07 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] group mapper per client
Hello Ronald,
If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick:
- make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups;
- create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login.
If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options:
- map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. <security-constraint> in web.xml);
- or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course).
This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm).
Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote:
> Hello everyone,
>
> Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs.
>
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list