Hello all,
I can successfully sync users from my Active directory, and tested users authentication with Apache_mellon, which was configured with SAML, I was able to login with every AD user. My question is how should I restrict access to users with groups, I have already created groups on AD, can someone direct, after authentication where should this authorization process happen, on AD? or I should somehow import my AD groups to Keycloak?
I am newbie, please do not judge strictly. Will appreciate any advise.
As far as I know, keycloak do not support restrict user login via ad groups…
By default, All users imported can login every application…
You can:
- write some custom code (oidc authenticator, I am not sure saml app can have such or not ) to restrict for that
- Or, for every client application, check the user group and deny access in client side.
Thanks for your reply.
About the 1st comes in mind one question, when I am searching, there is some instruction on how to sync AD groups and map it to keycloak, then why there is need to sync AD groups to keycloak? Please in two words let me know one example use case.
About 2nd option, am I understood right, that using this method, it means that keycloak will succesfully authenticate, but since the account used, has no access on application side, authorization will not happen, or will happen with specific restrictions?
-
you need to ‘import’ the user (as well as groups) from AD into keycloak to make use of some keycloak feature (e.g. assign role to user groups, you need to feed the ad group information in to tokens)
-
…keycloak will authenticate ANY user who have valid AD account. in each client application, it need to check whether the user can access your applicaiton/service. e.g. user1 login via keycloak login page and In your SAML application (likely the SAML ACS endpoint), you need to get the login ID (user1) and check whether this user can access to your application. if not, show ‘access denied’ message and do not accept the SAML response.