[keycloak-user] Configure authorization with SAML

Pedro Igor Silva psilva at redhat.com
Mon Feb 4 07:46:02 EST 2019

Hi John,

Yes, there is no easy way to do that right now when using SAML. There is an
extension [1] though that works for OIDC.

I dunno if we are going to invest authorization in SAML, but you can open
an RFE and try to get votes from other interested parties.

Best regards.
Pedro Igor

[1] https://www.keycloak.org/extensions.html

On Sun, Feb 3, 2019 at 6:32 AM John Doe <fsf.eff at protonmail.com> wrote:

> Dear Keycloak users,
> First of all I would like to thank you for committing on this project.
> I configured Keycloak with FreeIPA. I have single realm in Keycloak
> (master realm) and All of my SAML clients are in this realm, Right now I
> want to limit access to "Weekdone.com SAML client" for certain users and as
> I searched I found out there is no authorization on SAML and it's under
> development, Can you please tell me about it's status?
> If it's not available right now, How can I implement it?
> Is it Ok if I create a "weekdone users" group in FreeIPA and create
> another realm in Keycloak and add weekdone SAML client to that realm?
> I think that makes a mess in the long-term but I found no other solution.
> References to this issue:
> http://lists.jboss.org/pipermail/keycloak-user/2017-September/011759.html
> https://www.reddit.com/r/selfhosted/comments/8ah2we/keycloak_authorization_services_for_saml/
> Best Regards.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list