Page Comparison

...

1. In the upper right corner, select “Sync all users” from the dropdown menu for “Action”.

Create a group mapper

To create a group mapper which maps LDAP groups from a branch of an LDAP tree into groups within Keycloak, please follow these steps:

1. Open the Keycloak administration console

2. Open the “User Federation” tab

3. Select the LDAP provider

4. Open the “Mappers” tab

5. Click “Add mapper”

6. Enter the following information:

   1. Name: modelOpGroups

   2. Mapper type: group-ldap-mapper

   3. LDAP Groups DN: <Enter the LDAP DN where are groups of this tree saved. For example, ‘ou=groups,dc=example,dc=org’>

   4. Group Name LDAP Attribute: <Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn'>

   5. Group Object Classes: <Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group'>

   6. Preserve Group Inheritance: Off

   7. Ignore Missing Groups: Off

   8. Membership LDAP Attribute: <Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid'>

   9. Membership Attribute Type: <DN means that LDAP group has its members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP group has its members declared in form of pure user uids. For example 'memberUid: john'>

   10. Membership User LDAP Attribute

   11. LDAP Filter: <Leave blank>

   12. Mode: READ_ONLY

   13. User Groups Retrieve Strategy: GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE

   14. Member-Of LDAP Attribute: < It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value>

   15. Mapped Group Attributes: <Leave blank>

   16. Drop non-existing groups during sync: Off

   17. Groups Path: <Keycloak group path the LDAP groups are added to>

When configuring this mapper, Keycloak will populate most of the fields and normally those default values are correct.

Once the group mapper is created, an additional mapper has to be created for each of the ModelOp clients by following these steps:

1. Open the “Clients” tab

2. For each ModelOp client, follow these steps:

   1. Select the client

   2. Open the “Client scopes” tab

   3. Open the “<client-name>-dedicated“ scope

   4. Click “Add mapper” by configuration

   5. Select “Group Membership”

   6. Enter the following information:

      1. Mapper type: Group Membership

      2. Name: modelopGroups2

      3. Token Claim Name: <Name of the claim to insert into the token>

      4. Full group path: Off

      5. Add to ID token: On

      6. Add to access token: On

      7. Add to userinfo: On

   7. Click “Save”

...

Official Keycloak Resources

The following links from the official Keycloak documentation are excellent resources that cover the topics and settings required for ModelOp Center:

• Core concepts and terms

• Creating a realm

• LDAP provider

• LDAP mappers

• Client scopes

• Creating an OpenID Connect client