Reputation: 653
How to set a default group on an Identity Provider in Keycloak
In Keycloak, is there a way to assign users to a default group when those user sign in over an Identity Provider?
Note: This already works with roles. E.g. navigate to Identity Provider → select Provider → Mappers → New → Hardcoded Role → select Role → Save. However, such a Mapper seems to be missing for selecting groups.
Any ideas on how to achieve this?
Upvotes: 14
Views: 3927
Answers (2)
Reputation: 51453
One would assume that such a mapper would exist, but unfortunately, until the most recent version it does not. However, aside from extending and creating your own mapper, you can do the following workaround:
- Navigate to the identity provider configuration;
- Select the IDP;
- Go to Mappers and click in create;
- As
Mapper TypeselectAdvanced Claim to Group - Add a
KeyandValueclaims that you know will always be present in all the tokens coming from the IDP, regardless of the user; - For example, 'exp' as a key, and '*' has the value. For this particular example, you would need to enable the 'Regex Claim Values' option;
- In the field
Groupselect the group to be automatically added by default to all users coming the external IDP; - Click on save.
If you login via the external IDP with a given user, you should see that the user belongs to the group that you have set. To check that, go to users > select the desired user > Tab Groups.
The other option would be to use the default group feature:
To automatically assign group membership to any users who is created or who is imported through Identity Brokering, you use default groups.
The problem is that the default group will be assigned to your new users regardless of the IDP (or use federation they came from), which might be undesirable.
On the old Keycloak UI
On the new Keycloak UI
Upvotes: 4
Reputation: 1446
I don't know for other Keycloak versions, but on version 16.1.x the Hardcoded Group mapper doesn't exist. Nor do the Advanced Claim to Role/Group mappers for certain IDP providers (for Google for example). The "Advanced Claim..." mappers are available for the OIDC type IDP providers though.
Upvotes: 0
Related Questions
- Keycloak/OIDC : retrieve user groups attributes
- how to map claim coming from Identity Provider to a role Group in Keycloak?
- Keycloak - user attributes that are specific to groups
- Kubernetes OIDC: No valid group mapping
- kubernetes oidc login ignores groups
- Map groups to roles in Keycloak when using OIDC
- How to avoid adding user to all groups with a resource
- Assign different default user groups in Keycloak based on different LDAP user federation
- Change the default group of a first time logged in oauth user in Openshift
- Assign Roles programmatically to Groups with Keycloak API