Link or associate users/groups from keycloak with existing users in applications behind SSO/Web-SSO

Hi everybody,

i’ve started with the installation and configuration of a new keycloak standalone as a standalone server.

Connecting the first Demo App with Keycloak - Test Application was successful

When connecting existing systems to the SSO, the following question came up: how to link or map users/groups from keycloak to existing users in applications behind the SSO/Web-SSO, so that they can still be used with the existing permissions and hierarchies (LDAP is not available in every application)?

Maybe someone here can help me

Many thanks for your help

Using Keycloak 12.0.4 (Distribution powered by WildFly) on Cent OS 7

User and Group mapping will depend on the external IdP you are using, and the protocol it uses (e.g. OpenID Connect, SAML). In the server administration documentation (Server Administration Guide) there is information on how to create mappings for each type.

1 Like

Many thanks for your help @xgp

I my case i would like to connect GitLab in the first step to centralize the login and authentication via keycloak for the applications behind.

Possibly with OpenID Connect

Does anyone already have experience whether this is possible or you have to switch to SAML.

The groups and users of another web application behind keycloak are only displayed/synchronized in keycloak by using user federation like LDAP etc.?

Sure. If you add a GitLab IdP, using the default provider in Keycloak (which is OpenID Connect), you can map any claims available to you through the token that is returned from GitLab to map to Keycloak Roles and Groups. Note that in order to get GitLab to return the correct information, you may have
to add scopes to your request. Documentation on mapping claims and assertions can be found here:
https://www.keycloak.org/docs/latest/server_admin/#_mappers

1 Like

Thanks @xgp

I want to integrate and link an application such as “GitLab” with Keycloak as IdP.

Is there a detailed step by step guide on how to integrate Keycloak as IdP to provide SSO to third party applications using for example the protocols like OpenID Connect or SAML 2.0?

I would be very grateful for any help/tips

Many thanks in advance

Hi,
Just create an OIDC client in your Keycloak and configure your gitlab following this:
https://docs.gitlab.com/ce/administration/auth/oidc.html

1 Like

@mbonn thanks for your replay

I’ve tried the steps in the instructions for the application.

Can you explain how i can access existing users/user rights as IdP in the application “GitLab” after the successful login/authentication in keycloak and how the mapping between the keycloak user and the users of the application works/happens?

As far as I know, gitlab uses the email adress to link users or map accounts. I think, this is more a question to gitlab experts…

1 Like

@mbonn thanks for your reply, i’ll ask around in the gitlab community

Maybe someone has already successfully solved this problem