Post-Install KeyCloak Setup and LDAP Configuration
in KeyCloak admin console , make sure you are in correct
Realm
-
Add LDAP user federation provider
Import Users: off Edit Mode: READ_ONLY Vendor: Active Directory Username LDAP attribute: sAMAccountName Connection URL: ldap://myad.mycom.com Users DN: CN=Users,DC=myad,DC=ds,DC=mycom,DC=com Authentication Type: simple Bind DN: cn=et_ose,cn=users,dc=myad,dc=ds,dc=mycom,dc=com Bind Credentia: xxx
-
Create new
given name
underLDAP Mappers
(optional)Name: given name Mapper Type: user-attribute-ldap-mapper User Model Attribute: firstName LDAP Attribute: givenName Read Only: On
-
Create new
telephone number
underLDAP Mappers
(optional)Name: telephone number Mapper Type: user-attribute-ldap-mapper User Model Attribute: telephoneNumber LDAP Attribute: telephoneNumber Read Only: On
-
Create new
roles
underLDAP Mappers
User Federation > Ldap > LDAP Mappers > Create LDAP mapper
Name: roles Mapper Type: role-ldap-mapper LDAP Roles DN: cn=Users,dc=myad,dc=ds,dc=mycom,dc=com Role Name LDAP Attribute: cn Role Object Classes: group Membership LDAP Attribute: member Membership User LDAP Attribute: sAMAccountName LDAP Filter: (&(objectCategory=Group)(cn=IMP_GROUP_*)) Member-Of LDAP Attribute: memberOf Client ID: ngxweb (optional)
-
Add new
telephone number
forngxweb
client Mappers (optional)Clients > ngxweb > Mappers > telephone number
Name: telephone number Mapper Type: User Attribute User Attribute: telephoneNumber Token Claim Name: telephone_number Claim JSON Type: String
-
Add
NGX_ADMIN To Admin
forngxweb
client Mappers (optional)Clients > ngxweb > Mappers > my_group to admin
Name: NGX_ADMIN to admin Mapper Type: Role Name Mapper Role: NGX_ADMIN New Role Name: ROLE_ADMIN
-
Add
groups
forngxweb
client Mappers (optional)k8s is configured to reed groups from ID_TOKEN/ACCESS_TOKEN, so create groups claim
Clients > ngxweb > Mappers > groups
Name: groups Mapper Type: User Realm Role # keep Realm Role prefix empty Realm Role prefix: Multivalued: On Token Claim Name: groups Claim JSON Type: String Add to ID token: On Add to access token: On Add to userinfo: Off
-
Enable
Remember Me
forNgx
realm.Realm Settings > logins
Remember Me : On
-
Turn off
Full Scope Allowed
(this step is not needed - buggy)Under Clients > ngxweb > Scope
Turn off
Full Scope Allowed
forngxweb
client and select few Realm Roles
- how do i ask quetions for KeyCloak? is there a mailing list?
http://lists.jboss.org/pipermail/keycloak-user/
- How to use script mapper?
How can I map the first role from the list of client roles to a field named "role" in the id token?
function logic() {
var f = realm.getClients();
var currentClient = null;
for (var i = 0; i < f.size(); i++) {
// here replace rolemaptest with your client name.
if (f.get(i).getClientId() === 'rolemaptest') {
currentClient = f.get(i);
break;
}
}
if (currentClient === null) {
return 'cant find current client';
}
// getClientRoleMappings returns a Set object which needs to be converted to an array. Otherwise it just returns a list of nulls, dunno why
var userRolesInClient = user.getClientRoleMappings(currentClient).toArray();
// var userRolesInClient = user.getRoleMappings().toArray();
if (userRolesInClient.length === 0) {
return '';
}
return userRolesInClient[0].getName();
}
logic();
- How to make REST Call to KeyCloak?
curl -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d
"grant_type=password" "http://localhost:9080/auth/realms/master/protocol/openid-connect/token"
curl -H "Authorization: Bearer eyJh........MY3g"
"http://localhost:9080/auth/admin/realms/master/users"
curl -H "Authorization: Bearer eyJh........MY3g"
POST "https://localhost:8080/auth/admin/realms/ngx/user-storage/2f63c117-9f99-4cb4-bb8f-2ff748bbcadb/mappers/98972fa2-2055-4f98-a238-f0da7cfbe135/sync?direction=fedToKeycloak"
- Reload
log into the container and manually changed the standalone.xml... and then restarted the server using the below command:
POD_NAME=$(kubectl get pods -lapp=keycloak -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -- /bin/bash
cd /opt/jboss/keycloak/standalone/configuration
# change in standalone.xml, standalone-ha.xml: userCache-> enabled="false"
/opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"
# docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"
# make a local copy for standalone.xml , standalone-ha.xml for latest keycloak version
kubectl cp $POD_NAME:/opt/jboss/keycloak/standalone/configuration/standalone.xml /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak
kubectl cp $POD_NAME:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak