Is possible to assign group id or name from Keycloak group attributes?

Hi,

New to camunda, i use camunda-bpm-identity-keycloak to identify user. Is possible to assign group id or name from Keycloak group attributes?

HI @vincant
Welcome to the forum.

I don’t have much experience with Keycloak, but hopfully if @VonDerBeck is around he can help answer this for you :slight_smile:

Hi @vincant

please have a look at the configuration options section at https://github.com/camunda/camunda-bpm-identity-keycloak.

Generally keep in mind, that this is a ReadOnly Identity Provider. It takes users as well as groups from Keycloak. So the groups of your users must be known to Keycloak. This is not managed by Camunda any more, but by Keycloak. Just the same compared to using the LDAP Identity Provider.

You’re going to find several options for the user and for the group representation on the Camunda side:

User Options:

  • useUsernameAsCamundaUserId - Whether to use the Keycloak username attribute as Camunda’s user ID. Default is false . In the default case the plugin will use the internal Keycloak ID as Camunda’s user ID.
  • useEmailAsCamundaUserId - Whether to use the Keycloak email attribute as Camunda’s user ID. Default is false.

Group Options:

  • useGroupPathAsCamundaGroupId - Whether to use the Keycloak unique group path as Camunda’s group ID. Default is false . In the default case the plugin will use the internal Keycloak ID as Camunda’s group ID.

Why group path and not group name? The group path is equal to the group name in case of top level groups. But: In Keycloak you are able to define group hierarchies. Group names must only be unique in respect of their parent. Which means you can have 2 different groups in Keycloak with the same group name in case they belong to a different parent. This is why on the Camunda side we use the group path - the path is unique but the name not.

Does that help?

Kind regards
Gunnar

1 Like

Thanks for your response.
My ldap group has attribute cn as id and description as display name. In Keycloak, cn will be group path and have attribute description. Then i want to map id to camunda group id and description to camunda group name.

Hi @vincant

the Keycloak Identity Provider maps groups as follows:

  • Camunda group ID - depending on your configuration either the Keycloak internal ID or the group path
  • Camunda group name - the Keycloak group name. This is not configurable.

Keep in mind that Keycloak’s Admin REST API does deliver group attributes in some cases (e.g. when requesting data of a single! group), but not consistently (e.g. not when requesting a list of groups). Hence there is no room for further configurations or freedom to implement optional different mappings involving special attributes on the Identity Provider side. Camunda group names will always be equal to Keycloak group names.

Everything else is part of Keycloak, in your case the LDAP User federation and it’s group mapping from LDAP/Active directory to Keycloak attributes. To be honest, I don’t know, if your scenario is possible with Keycloak. If you find a way to do that within Keycloaks LDAP group mapping feel free to share your config :slight_smile:.

Kind regards
Gunnar