Keycloak: sync UCS groups


I want to sync the groups from UCS LDAP to the Keycloak app.

I found the How-To: Sync Groups Beneath OUs To Keycloak which suggests that there should be a mapper “univention-groups”. But I don’t have such a mapper. Is that correct in a newly installed environment or is something broken with my Keycloak installation?

On the other hand there is documentation 4. Configuration — Univention Keycloak app manual 24.0.3 on how to create a mapper. Should I just follow that one?

Thanks for clarifying and your help!

I have already written a howto for this on my website.
You should be successful with that.

Thanks a lot for your reply and your fantastic howto!

I managed to configure everything with it and I understand that I needed to create the group mapper myself.

One thing, though: the evaluation of user rights in Kleycloak works well, dependent on group membership a user is permitted or declined. But nevertheless, every user is able to login to my web app - in contrast to the evaluation in Keycloak. Do you have an idea, what the reason could be?

I’ve tested it again, and if evaluate the user with keycloak i get ein “permission denied”. But yes i also can login on the proxmox webinterface. Looks like something has changed with the latest Keycloak updates. I see a big security issue there!

In Proxmox I was able to work around the problem by disabling “auto-create user”.

Its not a bug its a feature. Keycloak is not designed for authorization only for authentification. If you login in one service via sso and switch to the service you permitted the acces to (with your way), you will always be able to login (except disable autocreate new users).

But there is a work around implemented by univention: 4. Configuration — Univention Keycloak app manual 24.0.5

1 Like

Nice, i must check this doc snippet…