Keycloak - Create Admin User in a Realm

Question

How do I create an admin user in a realm in Keycloak? I tried /bin/add-user.sh -r myrealm -u admin -p <pwd> It gave me the error:

 * Error *
WFLYDM0065: The user supplied realm name 'myrealm' does not match the realm name discovered from the property file(s) 'ManagementRealm'.

Exception in thread "main" org.jboss.as.domain.management.security.adduser.AddUserFailedException: WFLYDM0065: The user supplied realm name 'myrealm' does not match the realm name discovered from the property file(s) 'ManagementRealm'.
    at org.jboss.as.domain.management.security.adduser.ErrorState.execute(ErrorState.java:72)
    at org.jboss.as.domain.management.security.adduser.AddUser.run(AddUser.java:133)
    at org.jboss.as.domain.management.security.adduser.AddUser.main(AddUser.java:231)
    at org.jboss.modules.Module.run(Module.java:352)
    at org.jboss.modules.Module.run(Module.java:320)
    at org.jboss.modules.Main.main(Main.java:593)

I tried /bin/add-user-keycloak.sh -r myrealm -u admin -p <pwd>. It asked me to restart the server which I did but I did not see the user either.

If one knows how to make it using the python client, that would be great too.

Answer 1

1. Create regular user in a realm:
   1. Open admin console and select realm of your choice (realm selection box on top left side).
   2. Go to users (sidebar) -> add user (button on the right side)
   3. Fill in required fields and press save button.
   4. Open Credentials tab and set password.
   5. Open Role Mapping tab:
      1. Click Assign role button
      2. Select Filter by clients and type realm-management to ease your search.
      3. Selecting realm-admin (it's enough, since others realm-management roles are composing, and therefore inherited, from this one). Effective Role(s) will show the role mapping for the client)
2. Go to http://keycloak/admin/REALM_NAME/console (replace REALM_NAME with realm name in which you created the user) and login.
3. You should see admin UI only for this realm.

You can also automate user creation via Admin REST API: https://www.keycloak.org/docs-api/24.0.0/rest-api/index.html

Answer 2

I found this in detail answer here. Since the UI changed a bit over time, this helped me find the settings. I'll paste it here, see the link above for the original thread.

Hi Carl, Thanks, even if your answer was a bit on the cryptic side. So this post just to clarify for others in the same position:

Everything must be done as superadmin in the target realm:

1. In the navigation panel select “Users”
2. Click the user you want as local admin
3. Select Tab “Role Mapping”
4. Click “Assign Role”
5. Here comes the tricky part. I believed that the “Filter by realm roles” was a filter to narrow the selection, but it is actually a drop-down menu. Click it and select “Filter by clients”.
6. Select the “realm-admin” with tag “realm-management”

So thanks again Carl. Obviously you know your way around Keycloak, but some of us are just getting there. But knowing that the option was in fact available was the kicker.

Answer 3

Fromyour example, i suppose you want to create an admin that would administrate a new realm. Then an admin form this new realm, different from the master (default) one.

Simply, here is the way to create an admin in a realm.

1 - Create the realm

• From the Master realm, create un new realm (Myrealm)
• Be sure to be in that new realm (select it in the list under master realm)

2 - Create an admin role for the new created realm

• In the menu (to the left side), under Configure main title, select Roles
• In the Realm Roles tab, click on the button Add Role and give it a name (admin) and a description (Myrealm admin role) and switch on the Composite Role
• In the new revealed section (Composite Roles), type in the client roles field: realm-management, then select it.
• Select all the available elements in that selection from Available Roles, click [Add selected] button.

/!\ This role is only availbale to this realm and will affect only users related to the realm.

3 - Affect the admin role to a user

• Still in the same realm, create or choose a user you want it to become the admin
• Go to its Role Mappings tab, and send the Available Roles admin to Assigned Roles.

Try to login http://keycloak/auth/admin/REALM_NAME/console (replace REALM_NAME with realm name in which you created the user) and adjust permissions of this realm admin user (from another browser with the master admin account). For example, the new admin realm user can delete role (that is not normal), it can do many thing on their realm you don't want it to do explicitely... (I guess)

That's all.

Answer 4

Pleas have a look in this command

/bin/add-user.sh -r myrealm -u admin -p <pwd>

here you are trying to run a shell script which will create a user admin with some password under realm myrealm .

So its mandatory myrealm realm should exist before you are going to create a user under it.

If this is not working try to create a user under master realm which is default realm exist after keycloak installation.

Id you are not aware how to create realm ,here are some of the admin-cli and curl commands to do so

How to create realm with the help of admin-cli

/opt/keycloak/bin/kcadm.sh create realms -s realm=<Realm-NAME> -s id="<realm-id>" -s enabled=true -s 

How to create realm with the help of curl command

curl -v <Keycloak-Ip-address>:<Port>/auth/admin/realms -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data  '{"realm":"Realm-name","id":"Realm-id","enabled":"true"}' -k

Answer 5

You should be able to create using add-user-keycloak command , but you need to restart the keycloak server to actually add the user. here is the documentation

/bin/add-user-keycloak.sh -r myrealm -u admin -p <password>

But before adding user you need to create realm myrealm using

  kcadm.sh create realms ........