I've just setup my first Keycloak server to offer SSO between two applications. These are not Java applications, and one is connected with <code>SAML-2</code> and the other with <code>OpenID</code> Connect. So in Keycloak I have <code>Realm-1</code>, and then <code>Client-1</code>(<code>application1</code>) and <code>Client-2</code>(<code>application2</code>) and <code>user-1</code> and <code>user-2</code>. Now I want <code>user-1</code> to only be allowed access to <code>Client-1</code>, and <code>user-2</code> to be allowed access to both <code>Client-1</code> and <code>Client-2</code>. Should be simple enough. I have tried to read up on Roles and Authorization, but I find the documentation(or maybe just the topic) very confusing. I have been playing around with it with no success. I was expecting an interface to just map a group to a Client, and restrict access to the Clients by adding/removing users from groups.

If you are using SAML: <ol> <li>Create a new role in Keycloak. </li> <li>Assign this role to the group. </li> <li>Create new authentication script in Keycloak. Configure which role is allowed upon login (e.g. <code>user.hasRole(realm.getRole("yourRoleName"))</code> ). </li> <li>In client setting, under "Authentication Flow overrides" choose the created authentication(from step 3).</li> </ol> If you are using openid, look at the comment in this thread

Keycloak - Limit users access per client/application

I've just setup my first Keycloak server to offer SSO between two applications. These are not Java applications, and one is connected with SAML-2 and the other with OpenID Connect.

So in Keycloak I have Realm-1, and then Client-1(application1) and Client-2(application2) and user-1 and user-2.

Now I want user-1 to only be allowed access to Client-1, and user-2 to be allowed access to both Client-1 and Client-2. Should be simple enough.

I have tried to read up on Roles and Authorization, but I find the documentation(or maybe just the topic) very confusing. I have been playing around with it with no success. I was expecting an interface to just map a group to a Client, and restrict access to the Clients by adding/removing users from groups.

What are client scopes in Keycloak?

Client scopes are entities in Keycloak, which are configured at the realm level and they can be linked to clients. The client scopes are referenced by their name when a request is sent to the Keycloak authorization endpoint with a corresponding value of the scope parameter.

Does Keycloak support RBAC?

This is a very simple example using RBAC policies to govern access to your resources. However, Keycloak supports other types of policies that you can use to perform even more fine-grained access control.

If you are using SAML:

Create a new role in Keycloak.
Assign this role to the group.
Create new authentication script in Keycloak. Configure which role is allowed upon login (e.g. user.hasRole(realm.getRole("yourRoleName")) ).
In client setting, under "Authentication Flow overrides" choose the created authentication(from step 3).

If you are using openid, look at the comment in this thread

Keycloak - Limit users access per client/application

Tags:

openid-connect

single-sign-on

keycloak

ladrua

People also ask

1 Answers

lukasell

Recent Activity

Donate For Us

Keycloak - Limit users access per client/application

Tags:

openid-connect

single-sign-on

keycloak

ladrua

People also ask

1 Answers

lukasell

Related questions

Recent Activity

Donate For Us