Keycloak 20.0.1: How-to
Create a custom scope
Open the Keycloak administration console
Open the “Client scopes” tab
Click “Create client scope”
Enter the following information:
Name: modelop_client
Description: A ModelOp custom scope used to distinguish between an OAuth2 client and an end-user
Type: Optional
Protocol: OpenID Connect
Display on consent screen: Off
Include in token scope: On
Display Order: <Leave blank>
Click “Save”
Once the scope is created, add it as a scope to the internal-client by following these steps:
Open the “Clients” tab
Select “internal-client”
Open the “Client scopes” tab
Click “Add client scope”
Select “modelop_client”
Click “Add” and select “Optional”
Create a user attribute mapper
Please use this type of mapper when there is an LDAP attribute containing the user’s group(s)
To create a user attribute mapper which specifies which LDAP attribute maps to the attribute of the Keycloak user, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Add mapper”
Enter the following information:
Name: modelOpGroups
Mapper Type: user-attribute-ldap-mapper
LDAP Groups DN
User Model Attribute: memberOf
LDAP Attribute: <Enter the name of the mapped attribute on LDAP object containing the user’s groups>
Read Only: On
Always Read Value From LDAP: On
Is Mandatory in LDAP: Off
Attribute default value: <Leave blank>
Force a Default Value: Off
Is Binary Attribute: Off
Click “Save”
Once the group mapper is defined, it needs to be applied to all users by following these steps, starting with “Step 4. Open the ‘Mappers’ tab” listed above:
In the upper right corner, select “Sync all users” from the dropdown menu for “Action”.
Create a hardcoded attribute mapper
Please use this type of mapper when there is no LDAP attribute containing the user’s group(s)
To create a hardcoded attribute mapper which adds a hardcoded group value to each Keycloak user linked with LDAP, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Add mapper”
Enter the following information:
Name: modelOpGroups
Mapper Type: hardcoded-attribute-mapper
User Model Attribute Name: memberOf
Attribute Value: modelop
Click “Save”
Once the group mapper is defined, it needs to be applied to all users by following these steps, starting with “Step 4. Open the ‘Mappers’ tab” listed above:
In the upper right corner, select “Sync all users” from the dropdown menu for “Action”.
Create a group mapper
Please use this type of mapper when there is a branch of an LDAP tree containing the user’s group(s)
To create a group mapper which maps LDAP groups from a branch of an LDAP tree into groups within Keycloak, please follow these steps:
Open the Keycloak administration console
Open the “User Federation” tab
Select the LDAP provider
Open the “Mappers” tab
Click “Add mapper”
Enter the following information:
Name: modelOpGroups
Mapper type: group-ldap-mapper
LDAP Groups DN: <Enter the LDAP DN where are groups of this tree saved. For example, ‘ou=groups,dc=example,dc=org’>
Group Name LDAP Attribute: <Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn'>
Group Object Classes: <Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group'>
Preserve Group Inheritance: Off
Ignore Missing Groups: Off
Membership LDAP Attribute: <Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid'>
Membership Attribute Type: <DN means that LDAP group has its members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP group has its members declared in form of pure user uids. For example 'memberUid: john'>
Membership User LDAP Attribute
LDAP Filter: <Leave blank>
Mode: READ_ONLY
User Groups Retrieve Strategy: GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Member-Of LDAP Attribute: < It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value>
Mapped Group Attributes: <Leave blank>
Drop non-existing groups during sync: Off
Groups Path: <Keycloak group path the LDAP groups are added to>
When configuring this mapper, Keycloak will populate most of the fields and normally those default values are correct.
Once the group mapper is created, an additional mapper has to be created for each of the ModelOp clients by following these steps:
Open the “Clients” tab
For each ModelOp client, follow these steps:
Select the client
Open the “Client scopes” tab
Open the “<client-name>-dedicated“ scope
Click “Add mapper” by configuration
Select “Group Membership”
Enter the following information:
Mapper type: Group Membership
Name: modelopGroups2
Token Claim Name: <Name of the claim to insert into the token>
Full group path: Off
Add to ID token: On
Add to access token: On
Add to userinfo: On
Click “Save”
Official Keycloak Resources
The following links from the official Keycloak documentation are excellent resources that cover the topics and settings required for ModelOp Center: