Hello,
I’m thinking of moving authentication system from proprietary SSO to keycloak.
Sorry for the basic questions.
When using SAML for the client protocol,
Is it possible to set a client that can log in per user in one realm?
use of openid-connect,
or by applications need to control based on role ?
Example)
User-A: can log in to Clients-A and B.
User-B: can only log in to Client-B, Authentication error when logging in to Client-A.
Realms:
Name: demo-realm
ClientProtocol: SAML
Clients:
Cliant-A
Cliant-B
Users:
User-A
User-B
You are asking for authorization, not authentication. Keycloak (IdP - identity provider) provides authentication (user identity/profile) usually and app (SP - service provider) handles authorization.
In theory you can do that on the mapper level (e.g. scripted mapper which will have hardcoded allowed user ids), but it will be hackish: authentication error from the IdP will have meaning of authorization error.
It will be better to solve it on the app level, e.g.:
if userid no in <allowed_user_ids>:
return Forbiden
1 Like
it’s confirm…
As long as using SAML, Keycloak can’t provide any authentication functionality.
As your suggested,
implement it in my app, or Use openid-connect.
Thank you for answering my poor English. 
OIDC also doesn’t provide authorization. OIDC token may contain data (e.g. user groups/roles/resources), which can be used for authorization.
But again app (or used library on the app side - e.g. Keycloak adapater, gatekeeper,…) has to perform authorization.
Thanks a lot @jangaraj
I understood it well.
I try what I was taught.