docs: How to sync groups
This commit is contained in:
parent
6253a1bb8e
commit
1e01d7cddb
SSH key fingerprint:
SHA256:ZWe7taUXeJb8xtjCZE7rZ3baSkVpBPjE4hdoKyJpfQE
1 changed files with 6 additions and 0 deletions
|
|
@ -17,6 +17,12 @@ Change the Postgres and Keycloak version in your `.env` file and run `docker com
|
||||||
|
|
||||||
The Keycloak configuration is not quite straight forward, which is why the following section contains some configuration examples. It is recommended to create a custom realm first instead of simply using the master realm.
|
The Keycloak configuration is not quite straight forward, which is why the following section contains some configuration examples. It is recommended to create a custom realm first instead of simply using the master realm.
|
||||||
|
|
||||||
|
## Map groups to OIDC claims
|
||||||
|
|
||||||
|
To handle authorization centrally, groups can be created and assigned directly in Keycloak. Those groups are not sent to the OIDC client by default. To enable such functionality, create a new client scope named `groups`. For this scope, add a new mapper ('By Configuration') and select 'Group Membership'. Give it a descriptive name and set the token claim name to `groups`.
|
||||||
|
|
||||||
|
For each client that relies on those group, explicitly add the `groups` scope to client scopes. The groups will now be sent to client upon request.
|
||||||
|
|
||||||
### Enforcing 2FA
|
### Enforcing 2FA
|
||||||
|
|
||||||
In the realm management console under `Authentication > Required Actions` certain actions can be enabled and set to be the default action. Useful defaults might be to enforce `Configure OTP`, `Update Password`, `Update Profile` and `Verify Email`.
|
In the realm management console under `Authentication > Required Actions` certain actions can be enabled and set to be the default action. Useful defaults might be to enforce `Configure OTP`, `Update Password`, `Update Profile` and `Verify Email`.
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue