12

In Keycloak, is there a way to assign users to a default group when those user sign in over an Identity Provider?

Note: This already works with roles. E.g. navigate to Identity Providerselect ProviderMappersNewHardcoded Roleselect RoleSave. However, such a Mapper seems to be missing for selecting groups.

Any ideas on how to achieve this?

gehtmaguad
  • 443
  • 4
  • 9

2 Answers2

1

One would aspect that such Mapper would exists, but unfortunately until the most recent version it does not. However, aside from extending and creating your own mapper, you can do the following workaround:

  • Navigate to the identity provider configuration;
  • Select the IDP;
  • Go to Mappers and click in create;
  • As Mapper Type select Advanced Claim to Group
  • Add a Key and Value claims that you know will always be present in all the tokens coming from the IDP, regardless of the user;
  • For example, 'exp' as a key, and '*' has the value. For this particular example, you would need to enable the 'Regex Claim Values' option;
  • In the field Group select the group to be automatically added by default to all users coming the external IDP;
  • Click on save.

If you login via the external IDP with a given user, you should see that the user belongs to the group that you have set. To check that, go to users > select the desire user > Tab Groups.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
0

I don't know for other Keycloak versions, but on version 16.1.x the Hardcoded Group mapper doesn't exist. Nor do the Advanced Claim to Role/Group mappers for certain IDP providers (for Google for example). The "Advanced Claim..." mappers are available for the OIDC type IDP providers though.

croc
  • 1,416
  • 1
  • 18
  • 24