| Note |
|---|
The following instructions were generated by following the Administration Console view in version Keycloak 12.0.2. The location of the tabs might differ starting with version 18. Please refer to Keycloak 20.0.1: How-to for steps using version 20.0.01. |
Create a custom scope
Open the Keycloak administration console
Open the “Client Scopes” tab
Click “Create”
Enter the following information:
Name: modelop_client
Description: A ModelOp custom scope used to distinguish between an OAuth2 client and an end-user
Protocol: openid-connect
Display On Consent Screen: OFF
Include in Token Scope: ON
GUI order:
Click “Save”
Create a user attribute mapper
| Info |
|---|
Please use this type of mapper when there is an LDAP attribute containing the user’s group(s) |
To create a user attributemapper which specifies which LDAP attribute maps to the attribute of the Keycloak user, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Create”
Enter the following information:
Name: modelOpGroups
Mapper Type: user-attribute-ldap-mapper
User Model Attribute: memberOf
LDAP Attribute: <Enter the name of the mapped attribute on LDAP object containing the user’s groups>
Read Only: ON
Always Read Value From LDAP: ON
Is Mandatory in LDAP: OFF
Is Binary Attribute: OFF
Click “Save”
...
Open the “Settings” tab
Click “Synchronize all users”
Create a hardcoded attribute mapper
| Info |
|---|
Please use this type of mapper when there is no LDAP attribute containing the user’s group |
...
(s) |
To create a hardcoded attribute mapper which adds a hardcoded group value to each Keycloak user linked with LDAP, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Create”
Enter the following information:
Name: modelOpGroups
Mapper Type: hardcoded-attribute-mapper
User Model Attribute Name: memberOf
Attribute Value: modelop
Click “Save”
...