| Note |
|---|
The instructions were generated by following the Administration Console view in version Keycloak 12.0.2. The location of the tabs might differ starting with version 18Please refer to Keycloak 20.0.1: How-to for steps using version 20.0.01. |
Create a custom scope
Open the Keycloak administration console
Open the “Client Scopes” tab
Click “Create”
Enter the following information:
Name: modelop_client
Description: A ModelOp custom scope used to distinguish between an OAuth2 client and an end-user
Protocol: openid-connect
Display On Consent Screen: OFF
Include in Token Scope: ON
GUI order:
Click “Save”
Create a user attribute mapper
| Info |
|---|
Please use this type of mapper when there is an LDAP attribute containing the user’s group(s) |
To create a user attributemapper which specifies which LDAP attribute maps to the attribute of the Keycloak user, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Create”
Enter the following information:
Name: modelOpGroups
Mapper Type: user-attribute-ldap-mapper
User Model Attribute: memberOf
LDAP Attribute: <Enter the name of the mapped attribute on LDAP object containing the user’s groups>
Read Only: ON
Always Read Value From LDAP: ON
Is Mandatory in LDAP: OFF
Is Binary Attribute: OFF
Click “Save”
...
Open the “Settings” tab
Click “Synchronize all users”
Create a hardcoded attribute mapper
| Info |
|---|
Please use this type of mapper when there is no LDAP attribute containing the user’s group |
...
(s) |
To create a hardcoded attribute mapper which adds a hardcoded group value to each Keycloak user linked with LDAP, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Create”
Enter the following information:
Name: modelOpGroups
Mapper Type: hardcoded-attribute-mapper
User Model Attribute Name: memberOf
Attribute Value: modelop
Click “Save”
...