User federation
You can import users from an external system into Keycloak, and then map user roles to ensure that the users that are imported into Obcerv have the appropriate user and admin roles.
Note
Not all role mapper types are available in the version of Keycloak used in Obcerv Platform 1.4.x and below.
Types of user federations supported by Keycloak Copied
There are two types of federations in Keycloak: LDAP federation and IDP federation.
LDAP federation typically refers to an external Active Directory connected via LDAP, where Keycloak can authenticate users against.
IDP federation delegates using other IDPs as a source of authentication, such as Google, Amazon, or GitHub. Keycloak itself can be set up as an IDP, and you can use it to authenticate your users as well.
Configure LDAP or IDP federation Copied
If you decide to use LDAP or IDP federation, you need to configure the realm. Once configured, you should then manage user permissions and access (see Federated user roles).
To configure user federation setup in Keycloak:
- Navigate to the
Obcerv
realm in Keycloak by clicking Obcerv in the top-left drop down menu. - Do the following:
-
LDAP: click User federation on the left-side menu. Click Add new provider, and then select a supported service. Provide your settings.
For more information, see LDAP and Active Directory in Keycloak documentation.
-
IDP: click Identity providers on the left-side menu. Click Add provider, and then select a supported service. Provide your settings.
For more information, see OpenID Connect v1.0 Identity Providers and SAML v2.0 Identity Providers in Keycloak documentation.
Federated user roles Copied
Since the web console requires certain roles to allow users to access Obcerv, you need to manage federated user roles.
Assign a default user role Copied
Roles can be assigned during registration by defining default roles in Keycloak. Once you have defined the default roles, all new users will be automatically assigned one or more roles when they first authenticate to Keycloak.
Adding the user
role by default ensures that all users from the external system will be able to log in to the web console. To do this:
- Navigate to the
Obcerv
realm in Keycloak by clicking Obcerv in the top-left drop down menu. - Create the
user
role by clicking Realm roles > Create role. Add the role name and description. - Click Realm settings, and then go to the User registration tab.
- Click Add role, then assign the
user
role.
Although easy to configure, this approach may not be flexible enough for some organizations. It lets every user from the external system automatically access the system, which may not be appropriate for all users. Additionally, it does not provide a way to determine which external users should be admins.
Define role mappings Copied
Using a mapper is a more dynamic approach to managing external user access than assigning a default user role.
Role mappers are available for both types of federations.
With a role mapper, you can map external user attributes to Keycloak roles and permissions. This gives you more control over who has access to Obcerv and what permissions they have.
Role mappings for LDAP federation Copied
- Navigate to the
Obcerv
realm in Keycloak by clicking Obcerv in the top-left drop down menu. - Click User federation, and then select your configured external source.
- Go to the Mappers tab, and then click Add mapper.
- Provide the name of the mapper.
- From the Mapper type dropdown list, select an option such as role-ldap-mapper or group-ldap-mapper to configure a role from LDAP to an assigned role in Keycloak.
- Click Save to create the mapper.
Role mappings for IDP federation Copied
- Navigate to the
Obcerv
realm in Keycloak by clicking Obcerv in the top-left drop down menu. - Click Identity providers, and then select your configured external source.
- Go to the Mappers tab, and then click Add mapper.
- Provide the identity provider mapper details. Make sure to associate the External role with the appropriate realm Role.
For example, given the following strategies:
- Users with the external role
company/user
should be assigned theuser
role. - Users with the external role
system-admin
should be assigned theadmin
role.
- Users with the external role
- Click Save to create the mapper.