Last modified by Johannes Wielsch on 2020/09/04 05:30

Hide last authors
Johannes Wielsch 12.1 1 (% class="box infomessage" %)
2 (((
Johannes Wielsch 1.1 3 Aim is: Map LDAP Groups with Keycloak and push them to xWiki.
Johannes Wielsch 12.1 4 )))
Johannes Wielsch 1.1 5
6 Remember: Groups are created once a user logs on. There is no real sync. But with every login the ldap membership is reflected to XWiki over the keycloak login-token. In XWiki you can assign rights to the pushed ldap-Keycloak-xWiki-groups.
7
8 Follow these steps:
9
10 * Open Keycloak admin console with [[https:~~/~~/KEYCLOAK_ADDRESS/auth/admin/>>https://KEYCLOAK_ADDRESS/auth/admin/]] and login with admin credentials.
11 * First of all you need an ldap provider which gets the users and groups from ldap.
12 * Click on User Federation in the left panel
Johannes Wielsch 11.2 13 * When a ldap provider is not existent go to add provider. 1) (no documentation for this step)
Johannes Wielsch 1.1 14
Johannes Wielsch 11.3 15 * After creating the ldap provider click on ldap 2)(((
Johannes Wielsch 11.4 16 {{image reference="2020-09-02 19_48_04-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 17
18 // Keycloak Admin Interface - Overview of the user federation provider list//
19
20
Johannes Wielsch 11.3 21 )))
Johannes Wielsch 1.1 22
Johannes Wielsch 11.3 23 * Click on mappers 1) an look for a groups mapper 2). If it is missing click on create 3)(((
Johannes Wielsch 11.4 24 {{image reference="2020-09-02 19_48_53-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 25
26 // Keycloak Admin Interface - List of Mappers of an Keycloak user federation provider. Here: ldap//
27
28
Johannes Wielsch 11.3 29 )))
Johannes Wielsch 1.1 30
Johannes Wielsch 11.4 31 * Choose the mapper-type 1) "group-ldap-mapper" and fill in the information from your ldap-configuration(((
32 {{image reference="2020-09-02 19_52_52-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 33
34 // Keycloak Admin Interface - Adding a user federation mapper. Here: groups-mapper.//
35
36
Johannes Wielsch 11.3 37 )))
Johannes Wielsch 1.1 38
Johannes Wielsch 11.4 39 * Afterwards click on save an move on to Client Scopes 1) in the left Panel. Look for a group scope 2) If it does not exist create one 3)(((
40 {{image reference="2020-09-02 19_53_30-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 41
42 // Keycloak Admin Interface - List of global available client scopes//
43
44 // //
Johannes Wielsch 11.3 45 )))
Johannes Wielsch 1.1 46
Johannes Wielsch 11.4 47 * Chose the following configuration for the groups scope. Click on save.(((
48 {{image reference="2020-09-02 19_54_21-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 49
50 // Keycloak Admin Interface - Adding a group scope in Keycloak. Here: Part one, the name an protocol. //
51
52
Johannes Wielsch 11.3 53 )))
Johannes Wielsch 1.1 54
Johannes Wielsch 11.4 55 * Move on to the Mappers-tab 1) and creat a built in mapper 2). aim is to have a groups mapper 3)(((
56 {{image reference="2020-09-02 19_55_25-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 57
58 // Keycloak Admin Interface - Adding a group scope in Keycloak. Here: Part two, the list of mappers. //
59
60
Johannes Wielsch 11.3 61 )))
Johannes Wielsch 1.1 62
Johannes Wielsch 11.4 63 * Chose the mapper 1) from the list an click on save. (Save button at the end of the list and not in the picture.)(((
64 {{image reference="2020-09-02 19_56_08-Keycloak Admin Konsole und 2 weitere Seiten - Persönlich – Microsoft​ Edge.png" width="650"/}}
Johannes Wielsch 12.1 65
66 // Keycloak Admin Interface - Adding a group scope in Keycloak. Here: Part tgree, the built in mappers to chose and add. //
67
68
Johannes Wielsch 11.3 69 )))
Johannes Wielsch 1.1 70
Johannes Wielsch 11.4 71 * Go to Clients 1) and chose your xWiki Client ID 2) which you created while adding keycloak as authentication provider. Chos the tab Client Scopes (Number Missing) and add the new groups scope 3) to the Assigned Default Client Scope 5) with button 4)(((
72 {{image reference="2020-09-02 20_21_32-Clipboard.png" width="650"/}}
Johannes Wielsch 12.1 73
74 // Keycloak Admin Interface - Enabling the new created group scope for the XWiki client.//
75
76
Johannes Wielsch 11.3 77 )))
Johannes Wielsch 1.1 78
Johannes Wielsch 11.4 79 * Test it by Clicking on Evaluate 3), chose the user 4), click evaluate 5) and move to the tab Generated Access Token 6. Groups should be listed in the client scopes 7) and the list of groups should be visible, too 8)(((
80 {{image reference="2020-09-02 19_58_36-Einstellungen.png" width="650"/}}
Johannes Wielsch 12.1 81
82 // Keycloak Admin Interface - Evaluate the new assigned group scope and test, if groups are sent with the token.//
Johannes Wielsch 11.3 83 )))
Johannes Wielsch 1.1 84
85 * Done. If I remember correctly the steps.

Get Connected