KeyCloak LDAP Role mapper with AD groups

About

Asked 12/5, 2021 at 18:23 Answered 12/5, 2021 at 18:41

active-directory ldap keycloak federation

I have a KeyCloak LDAP federation question.

Using LDAP Federation I am trying to map specific AD groups to one specific KeyCloak role.

Example

Fido belongs to the AD Group "Dogs"

(LDAP:memberOf:cn=dogs,cn=users,dc=test,dc=com)

Fluffy belongs to the AD Group "Cats"

(LDAP:memberOf:cn=cats,cn=users,dc=test,dc=com)

I can get LDAP Federation to create the "cats" and "dogs" roles but what I really want to do in keycloak is have a role called "animals" that both fluffy and fido are assigned to.

Is this possible using the role-ldap-mapper? Is there another way to do this?

Nightmare answered 12/5, 2021 at 18:23 Comment(0)

Is this possible using the role-ldap-mapper? Is there another way to do this?

First you need to map those groups "cats" and "dogs" from LDAP into roles in Keycloak, for that you can use the role-ldap-mapper Mapper. During the creation of those Mappers, after saving click on "Sync LDAP Roles to Keycloak".

After you have successfully import those roles into keycloak for each of the imported roles (i.e., cat and dog):

Go to Roles;
Click on the role in question;
Switch "Composite Roles" to ON
Select the role Animals (I am assuming that you have already created that role in Keycloak, otherwise do so);
Click on "Add selected"

Next time a user with the role Cats or Dogs from LDAP authenticates with Keycloak, the role Animals will show up in the token as well.

Zo answered 12/5, 2021 at 18:41 Comment(7)

Hi, is it possible to achieve the same thing but with Groups instead of Roles? If it is somehow possible, could you please explain shortly how? – Chunk 30/5, 2023 at 1:4

Hi, @MohammedNoureldin I came across the same issue, did you found any solution to map ldap groups into existing keycloak groups? Thanks before hand. – Transport 3/7 at 13:36

@Transport you just need to use the ldap mapper group-ldap-mapper – Zo 3/7 at 17:29

@dreamcrash, I have a group-ldap-mapper, but all it does is to bring into keycloak the Groups that I have in AD, but I haven't found a way to map those incoming groups with existing groups in keycloak. For instance: I have a group called rockers in keycloak, then I would like to map the incoming group cn=something,..., into the rockers existing group. If you have a way to do this, could you share it? Thank you – Transport 5/7 at 7:34

@dreamcrash, just in case, I'm currently using the following helm chart version: github.com/codecentric/helm-charts/releases/download/… – Transport 5/7 at 8:7

@Transport The problem seems to be that kc does not have composite groups like it does for roles – Zo 7/7 at 18:49

@Zo Thanks, I'm afraid that is the case. Thank you – Transport 8/7 at 14:16

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags