How can i restrict client access to only one group of users in keycloak?

single-sign-on saml keycloak idp
lukasell picture lukasell · Jan 22, 2019 · Viewed 14.1k times · Source

I have a client in keycloak for my awx(ansible tower) webpage. I need only the users from one specific keycloak group to be able to log in through this client.

How can I forbid all other users(except from one particular group) from using this keycloak client?

Answer

Cyril Dangerville picture Cyril Dangerville · Jan 26, 2019

On Keycloak admin console, go to Clients menu, select your client. On the client configuration page, set Authorization Enabled: On, click Save. A new Authorization tab should appear, go to it, then to the Policies tab underneath, click Create Policy and select Group-based policy. There, you can restrict access to specific groups, assuming you have defined your groups via the Groups menu already.

--EDIT 2019-11-08--

As mentioned in comments, Client Protocol must be set to openid-connect and Access Type must be set to confidential, in order to make the Authorization Enabled option visible.

Related questions

SSO with SAML, Keycloak and Nextcloud

I am trying to setup Keycloak as a IdP (Identity Provider) and Nextcloud as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page. I am running a Linux-Server with a Intel compatible CPU. What is …

Read More
What are the different NameID format used for?

In SAML metadata file there are several NameID format defined, for example: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:…

Read More
What is exactly RelayState parameter used in SSO (Ex. SAML)?

I am trying to understand SSO using SAML. I have come across the RelayState parameter and am very confused exactly why it comes first in SSO to send encoded URLs? What exactly does it mean? Please read the following from …

Read More