Keycloak - Limit users access per client/application

Question

I've just setup my first Keycloak server to offer SSO between two applications. These are not Java applications, and one is connected with SAML-2 and the other with OpenID Connect.

So in Keycloak I have Realm-1, and then Client-1(application1) and Client-2(application2) and user-1 and user-2.

Now I want user-1 to only be allowed access to Client-1, and user-2 to be allowed access to both Client-1 and Client-2. Should be simple enough.

I have tried to read up on Roles and Authorization, but I find the documentation(or maybe just the topic) very confusing. I have been playing around with it with no success. I was expecting an interface to just map a group to a Client, and restrict access to the Clients by adding/removing users from groups.

score 2 · Answer 1 · edited Feb 12 '19 at 16:32

2

If you are using SAML:

Create a new role in Keycloak.
Assign this role to the group.
Create new authentication script in Keycloak. Configure which role is allowed upon login (e.g. user.hasRole(realm.getRole("yourRoleName")) ).
In client setting, under "Authentication Flow overrides" choose the created authentication(from step 3).

If you are using openid, look at the comment in this thread

edited Feb 12 '19 at 16:32

srnjak

915
7
21

answered Jan 27 '19 at 02:18

lukasell

761
1
8
10

2

How to create new authentication script in Keycloak? – srnjak Feb 12 '19 at 14:35
Is there a similar technique for non SAML? – Angelos Pikoulas Feb 12 '19 at 15:22
Instructions are unclear. Please update with an improved answer. – Kevin C Nov 01 '19 at 14:33
It's only an option if you set `-Dkeycloak.profile.feature.scripts=enabled` and `-Dkeycloak.profile.feature.upload_scripts=enabled` – Aurelia Jan 31 '20 at 14:23

Keycloak - Limit users access per client/application

1 Answers1