If you want to use Keycloak as IdP for your SAML login you might wish to limit access to certain Service Providers (SPs) according to your LDAP group memberships.
The way to do this is not very intuitive, so I’ll try to show an easy way to do this.
What we’ll be doing:
- mapping a (LDAP) group to a keycloak role
- mapping a keycloak role to a SAML attribute
Step 1: Create a new realm role
Menu on the left:
Realm -> Manage -> Realm Roles (nothing special to do here)
Step 2: Map one of your LDAP groups to this role
- Menu on the left:
Realm -> Manage -> Groups- Select one of the existing (LDAP) groups
- Role mapping -> Assign role:
- Chose “Filter by realm roles”, Select the role you just created
- Role mapping -> Assign role:
- Select one of the existing (LDAP) groups
That maps (LDAP) groups to keycloak roles.
Step 3: Create a role mapper
- Menu on the left:
Realm -> Manage -> Client scopes- Create Client Scope (I’ll name it “role_list”)
- “Protocol”: “SAML” -> Save
- Mappers -> Configure new mapper
- Select “Role list” (This will map roles to SAML “Role” attribute by default)
- If you want to set a different SAML attribute (like “eduPersonAffiliation”) set “Role attribution name” accordingly.
- Set “Single Role Attribute” to “On” (even if it sounds wrong, believe me)
- Create Client Scope (I’ll name it “role_list”)
Step 4: Adapt client scope
- Menu on the left:
Realm -> Manage -> Clients- Select desired client
- Client scopes -> Add client scope “role_list” (or whatever name you chose in Step 3)
- Select desired client
Optional: to better filter roles, select the “*-dedicated” client scope
-> Scope -> Disable “Full scope allowed”
-> Add specific roles by “Assign role” (Filter by realm roles) and select the desired role(s)
Other useful links
Nice description about how to add SAML auth to apache guacamole (and how to debug errors): https://blog.daniel.wydler.eu/2023/04/16/saml-authentifizierung-fuer-apache-guacamole
SAML Decoder: https://www.samltool.com/decode.php