User federation

You can import users from an external system into Keycloak, and then map user roles to ensure that the users that are imported into Obcerv have the appropriate user and admin roles.

Note

Not all role mapper types are available in the version of Keycloak used in Obcerv Platform 1.4.x and below.

Types of user federations supported by Keycloak Copied

There are two types of federations in Keycloak: LDAP federation and IDP federation.

LDAP federation typically refers to an external Active Directory connected via LDAP, where Keycloak can authenticate users against.

IDP federation delegates using other IDPs as a source of authentication, such as Google, Amazon, or GitHub. Keycloak itself can be set up as an IDP, and you can use it to authenticate your users as well.

Configure LDAP or IDP federation Copied

If you decide to use LDAP or IDP federation, you need to configure the realm. Once configured, you should then manage user permissions and access (see Federated user roles).

To configure user federation setup in Keycloak:

  1. Navigate to the Obcerv realm in Keycloak by clicking Obcerv in the top-left drop down menu.
  2. Do the following:

Federated user roles Copied

Since the web console requires certain roles to allow users to access Obcerv, you need to manage federated user roles.

Assign a default user role Copied

Roles can be assigned during registration by defining default roles in Keycloak. Once you have defined the default roles, all new users will be automatically assigned one or more roles when they first authenticate to Keycloak.

Adding the user role by default ensures that all users from the external system will be able to log in to the web console. To do this:

  1. Navigate to the Obcerv realm in Keycloak by clicking Obcerv in the top-left drop down menu.
  2. Create the user role by clicking Realm roles > Create role. Add the role name and description.
  3. Click Realm settings, and then go to the User registration tab.
  4. Click Add role, then assign the user role.
    Assign roles in Keycloak

Although easy to configure, this approach may not be flexible enough for some organizations. It lets every user from the external system automatically access the system, which may not be appropriate for all users. Additionally, it does not provide a way to determine which external users should be admins.

Define role mappings Copied

Using a mapper is a more dynamic approach to managing external user access than assigning a default user role.

Role mappers are available for both types of federations.

With a role mapper, you can map external user attributes to Keycloak roles and permissions. This gives you more control over who has access to Obcerv and what permissions they have.

Role mappings for LDAP federation Copied

  1. Navigate to the Obcerv realm in Keycloak by clicking Obcerv in the top-left drop down menu.
  2. Click User federation, and then select your configured external source.
  3. Go to the Mappers tab, and then click Add mapper. User role
  4. Provide the name of the mapper.
  5. From the Mapper type dropdown list, select an option such as role-ldap-mapper or group-ldap-mapper to configure a role from LDAP to an assigned role in Keycloak.
  6. Click Save to create the mapper.

Role mappings for IDP federation Copied

  1. Navigate to the Obcerv realm in Keycloak by clicking Obcerv in the top-left drop down menu.
  2. Click Identity providers, and then select your configured external source.
  3. Go to the Mappers tab, and then click Add mapper.
  4. Provide the identity provider mapper details. Make sure to associate the External role with the appropriate realm Role. For example, given the following strategies:
    • Users with the external role company/user should be assigned the user role. User role
    • Users with the external role system-admin should be assigned the admin role. Admin role
  5. Click Save to create the mapper.
["Obcerv"] ["User Guide", "Technical Reference"]

Was this topic helpful?