How to Restrict SSO with Google Provider in Keycloak?

Hello Keycloak Community,

I have been working on integrating Google as an Identity Provider (IDP) in Keycloak for Single Sign-On (SSO) purposes. While the integration works well, I am looking for a way to restrict access to my application only to a specific group of users who have been granted permission in Keycloak.

I want to ensure that only users who are members of a certain group and have a specific role in Keycloak are allowed to log in to my application using their Google accounts. In other words, I want to control access to my application based on group membership and assigned roles in Keycloak.

I have tried exploring the Keycloak admin console and client settings, but I couldn’t find a straightforward way to achieve this. I’m wondering if there are any specific configurations or steps that need to be followed to implement this restriction.

Any guidance or suggestions on how to achieve this requirement would be highly appreciated. Thank you in advance for your assistance!

1 Like

You would limit access to your clients to those users with the right credentials. Check out single sign on - How can I restrict client access to only one group of users in keycloak? - Stack Overflow

As @hmof has pointed.

You can achieve this by using Client Roles and Groups.

  1. Open Clients/your-client, then create some access roles. I.e. guest, external, operator, admin…

  2. Open Groups and create your people administration hierarchy. I.E.

  3. Remember to map the roles to the groups.
    Company/Internal → operator
    Company/External → external

  4. On the IPD configuration, look for the Mappers tab and configure an hardcoded group (Company/External)…

  5. On your SPA application, when start Authorization request, make sure to include “roles” scope.

If everything is configured correctly, you should see the users role list inside the access_token.resource_access.