Hi,
I have the following problem:
I have one real with many OpenID clients and one LDAP user back end.
My problem is, that for any client only this users are valid, which are in an special ldap group.
For example:
Client A → the valid users are part of ldap group foo1
Client B → the valid users are part of ldap group foo2
As an work around, I have creates for every client an extra real and using an ldap group filter for the user back end. But this will scale very bad, because every change must be done, in every realm.
So will it be possible to configure an group filter in the client config in the realm of keykloak?
Ok, then I will describe it in other way.
My big target is to simplify the installation and use only one realm and filter the users in the application config or assign every application config an separate LDAP connection.
Until now for every application (client) I have an separate realm, in which an LDAP connector (with the group filter) runs as the user federation provider.
I hope it be cleaner for you now.
yes, we tried to do something simialer, because of the different LDAP severs /Domains. There were different settings for each Domain /w users and was unable to Group users. on one Realm. Sorry I cant be more help.
In the meantime I have ask an colleagues which use adfs from microsoft. Here the OpenID connector can do this. Not only do the authentication like Keycloak can do, also the authorization via ldap groups to use he connector. I have found an add on, but as far as I read the manual, it don’t provide group support.
Hi, mdc_tux,
I think it should be possible with this plugin.
I managed to get a similar scenario working with keycloak 20.0.3+, but I did not find a reliable way without the plugin.
Basically it works like this: You specify a client-specific role „restricted-access“, that gives access to the client. For the given role, you can add it to the group.
This specific client-role is added to the group of your users.
You need to define an own credential flow for each of your clients as described in the plugin on github and add it on client-base in the „advanced“ section.
When logging in,
the client-specific role for „restricted access“ is checked.
As the group owns the client-role restricted access, only the users within that group can log in.
Sorry for the late answer, yes it will work, but you must have modify the default “browser workflow”. And the second is, that you must not change the group name. When you do that, all will fails. The edit field for the name looks like an “trap”.