Use SAML Protocol, Is it possible to set a client that can log in per user in one realm


I’m thinking of moving authentication system from proprietary SSO to keycloak.

Sorry for the basic questions.

When using SAML for the client protocol,
Is it possible to set a client that can log in per user in one realm?

use of openid-connect,
or by applications need to control based on role ?


User-A: can log in to Clients-A and B.
User-B: can only log in to Client-B, Authentication error when logging in to Client-A.

  Name: demo-realm
  ClientProtocol: SAML



You are asking for authorization, not authentication. Keycloak (IdP - identity provider) provides authentication (user identity/profile) usually and app (SP - service provider) handles authorization.

In theory you can do that on the mapper level (e.g. scripted mapper which will have hardcoded allowed user ids), but it will be hackish: authentication error from the IdP will have meaning of authorization error.

It will be better to solve it on the app level, e.g.:

if userid no in <allowed_user_ids>:
   return Forbiden
1 Like

it’s confirm…
As long as using SAML, Keycloak can’t provide any authentication functionality.

As your suggested,
implement it in my app, or Use openid-connect.

Thank you for answering my poor English. :slight_smile:

OIDC also doesn’t provide authorization. OIDC token may contain data (e.g. user groups/roles/resources), which can be used for authorization.

But again app (or used library on the app side - e.g. Keycloak adapater, gatekeeper,…) has to perform authorization.

Thanks a lot @jangaraj

I understood it well.
I try what I was taught.