I have a spring boot application secured with keycloak. Each user in realm has roles for my resource (client). Roles are configuraed on users tab, for particular user under Role Mapping tab as Client Roles:
I also use integration with LDAP Active Directory, from which all the users came from. Now, if I want to add specific role for Active Directory (AD) group, I have to go to active directory, get all users for particular group and add desierd role via keycloak api in separeate application, which is extremly bad logic.
In previous version of keycloak (5.0.1) it had Script Mapper on javascript that could get Active Directory groups and map them into roles for a particular client. In the latest version 8.0.1 it has no such mapper.
I wonder, is there any mapper or other ability in latest version of Keycloak to map AD groups to resource roles. So, I could say that group_name has role user for client_name and role user appeared in keycloak token under resource_access.client_name.roles list
You can achieve what you want by following these steps:
Go to "Groups" on the left menu
Select the group
Using the "Role Mappings" tab, choose which client role should be assigned to members of that group.
Related
I'm running a Spring app on Kubernetes. App is authenticated via keycloak (also run on k8s).
The problem is that in case when Kubernetes will have configured more than one edge node I can connect only from node which is configured in keycloak.auth-server-url in the Spring app. On other edge nodes I'm getting Invalid token issuer error. Do you know any solution for that problem?
Remember that first, during keycloak configuration you have to create a new client with the name persons-app specific for the application. You can do that under Clients in the left column and then clicking Create.
Then proper redirect URL needs to be configured.
After setting up the proper client, a new role user is added to Keycloak. This role can later be assigned to individual users in order to define appropriate access policies.
The last thing you have to do is creating an actual user and assigning the newly created role to that user. This can be done by clicking Add User under the page Users.
Next, you have to set a password for the user. In this example, it is the standard password for example projects (i.e. password).
Roles of a user can be managed under the tab Role Mappings. You have to add the role user to Assigned Roles.
That's it. Keycloak is now ready to be used and has already a very (very) small user base. Now you can proceed to the actual application, which should be secured.
Remember that in order to store relevant information and configuration, a PostgreSQL database must be set up first.
More information you can find here: spring-keycloak.
In our system we are currently using UAA for user authentication. There is also a need to put in place access control for resources. A resource is defined as a runtime entity created by user. The access to the resource is dependent on which group he belongs too. In order to achieve that I want to create custom groups and roles in UAA and attach privileges to the groups and roles. Is there provision to add custom groups and roles in UAA? If not how can it be done?
You can always add custom groups with Rest APIs or commands.
Here is the command line example.
-Get the token for an admin client
uaac token client get admin -s adminsecret
-Create the group
uaac group add custom.group
-Add a user to the group
uaac member add custom.group user1
The user1 token will start showing the custom.group in its scope list.
You must of course also need to add the custom.group entry in the scope of the client you are requesting token with. If the client does not have it in its scope list, the user1 token returned will also not show the custom.group in its scope.
I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.
We’re currently running the Okta Active Directory agent in order to import our users into Okta.
I'd like to replace this with a custom built process that imports users into a new internal database, for other user-management-related activities, whilst also adding those users to Okta.
Creating the user in Okta is easy, but I also need to get the user's "provider" set to ACTIVE_DIRECTORY, so that Okta delegates authentication to Active Directory.
The documentation (http://developer.okta.com/docs/api/resources/users.html#provider-object) says that the User's Provider field is read-only.
How can I set it?
While you cannot directly manipulate the credential object you can leverage other features available to achieve the desired result.
Create a group in Okta and configure it as a directory provisioning group. From the designated group select 'Manage Directories' add the desired Directory and follow the wizard to completion.
Add the created users to the group (using the API)
You unfortunately cannot set this property as we do not allow the creation of Active Directory users through the public API at this point.
If the purpose of the new process is simply to enrich the user's profile, can't you not achieve this by letting the AD agent sync the users and enrich the profile directly through the API?
How do I automatically create a user in Active Directory, at the same time as creating the user in Okta. Is there an API/SDK to do this ?
You can use the Create User call to create a User in Okta. Additionally, you can add this user to a group.
Upon membership in this specific group which should be configured with AD as the provisioning target, the group members are provisioned in AD (or any other application as per configuration).