Realm with multiple client different user access

I have federated user from an LDAP server. They are part of a realm. I would like to known how do I allow different user access to different apps in the same real with the same user base? Can that be done through groups, and if so how? If not, what other methods could I use to achieve that end.

Thanks.

Keycloak can’t enforce if a user will be able to use an application or not. It’s an IdP where users authenticate themselves and the clients participate from this session at the IdP. The clients must decide on their own, if a user is allowed to use these apps. Keycloak can just map appropriate claims into the tokens for these clients, and based on these claims, the clients can do a decision.

And which claims you use, if groups, roles, attributes, etc., this is totally up to you and your clients.

So if I have a realm with several clients and users, those user get access to all clients and its the client settings that determine if the user is able to sign in provided the assertion?

The client doesn’t decide if the user is able to sign in. The user authenticates at the IdP, the IdP issues a token, the client, which is using the token, decides based on the claims in the token, if the authenticated user is allowed to use the client/application.

Thanks for the clarification. Just one last question if you don’t mind, does Keycloak do IdP initiated sign on, and if so can you point me to some documentation. Thanks.

IdP initiated sign on is possible for SAML protocol, AFAIK. OIDC does not support IdP initiated sign on, this is always client initiated.
As I don’t know SAML good enough, I can’t tell you how to do it.

1 Like

Hello elmidwill,

you could take a look at this community extension: GitHub - sventorben/keycloak-restrict-client-auth: A Keycloak authenticator to restrict authorization on clients

Cheers,
Thomas

It looks like, from the link you provided, that this feature is now part of Keycloak as of version 17. I will look into it and post my any updates.

Thanks.