Dear community,
We have the following use case:
Authentication is mainly handled by another OIDC in our infrastructure. (IdentityProvider in keycloak created, working)
We want to further limit access to keycloak via several LDAP groups, hence we do the following:
- We setup a “user federation” that limits LDAP users to that given LDAP groups by LDAP filters
- We use LDAP sync (read_only) to sync users from LDAP to keycloak (creating the users etc. works)
- Further limiting the user login, we disable automatic user creation [1] (works)
note: We cannot use group mapper for LDAP to limit logins, because application we are using can only work with “public” access type[2]
Now only thing I cannot get working is, when a user is removed from the mentioned LDAP groups - the user can still login to keycloak, hence → eclipse-che. I found this[3] stating that the user should be removed from keycloak db as soon as he/she tried to login, but that is false. I believe that is due to the fact that user still exists in OIDC, that is the actual authentication method here.
Any suggestions how I can make this setup work?
Regards
Celal
[1]Server Administration Guide
[2]Configuring authorization :: Eclipse Che Documentation
" * Access Type must be public . Che only supports the public access type."
[3]https ://lists.jboss.org/pipermail/keycloak-user/2019-January/017005.html