1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-10-28 19:06:12 +01:00
unleash.unleash/website/docs/how-to/how-to-setup-sso-keycloak-group-sync.md

109 lines
4.7 KiB
Markdown
Raw Normal View History

---
title: 'How to set up Keycloak and Unleash to sync user groups'
---
2024-09-20 17:37:10 +02:00
:::note Availability
**Plan**: [Enterprise](https://www.getunleash.io/pricing) | **Version**: `4.18+`
:::
In this guide, we will setup OIDC Single Sign-On (SSO) in Keycloak and configure Unleash to automatically sync user group membership from Keycloak.
## Prerequisites
The steps in this guide assume you have admin access to a running Unleash instance and to a running Keycloak instance.
## Keycloak Configuration
### Step 1: Navigate to Create Client {#keycloak-step-1}
Open the Keycloak admin dashboard, navigate to clients and select "Create Client".
![The Keycloak Admin UI with the steps highlighted to navigate to client configuration.](/img/setup-keycloak-sync-1.png)
### Step 2: Create an Unleash Client {#keycloak-step-2}
Select "OpenID Connect" as the client type and give your client a name, then save your configuration.
![The Keycloak Admin UI with the client configuration open.](/img/setup-keycloak-sync-2.png)
### Step 3: Set a redirect URI {#keycloak-step-3}
Set the redirect URI to:
`<base-url>/auth/oidc/callback`
For a hosted Unleash instance this becomes:
`https://<region>.app.unleash-hosted.com/<instance-name>/auth/oidc/callback`
Save your configuration.
![The Keycloak client configuration with redirect URIs highlighted.](/img/setup-keycloak-sync-3.png)
### Step 4: Copy your client secret {#keycloak-step-4}
Navigate to "Credentials" and copy your client secret. You'll need to add this to the Unleash configuration later, so put it somewhere you'll be able to find it.
![The Keycloak credentials configuration with copy client secret highlighted.](/img/setup-keycloak-sync-4.png)
### Step 5: Copy your OpenID endpoint configuration {#keycloak-step-5}
Navigate to your realm settings and copy the link to OpenID endpoint configuration. You'll need to add this to the Unleash configuration later.
![The Keycloak realm settings the OpenID endpoint configuration link highlighted.](/img/setup-keycloak-sync-5.png)
### Step 6: Create a new Client Scope and Map Groups {#keycloak-step-6}
Navigate to the "Client Scopes" page and select "Create Client Scope".
![The Keycloak Client Scopes page with the Create Client Scope button highlighted.](/img/setup-keycloak-sync-6.png)
Give your new scope a name. Set the type to "Optional". Make sure the protocol is set to "OpenID Connect" and the "Include in Token Response" option is enabled. Save your new scope.
![The Keycloak Add Client Scope page with the Name, Type, Protocol and Include in Token Response fields highlighted.](/img/setup-keycloak-sync-7.png)
Navigate to the Mappers tab and select "Configure new Mapper".
![The Keycloak Client Scope details page with the Mappers tab and Configure new Mapper element highlighted.](/img/setup-keycloak-sync-8.png)
Select the Group Membership mapper.
![The Keycloak mapper popup with the Group Membership mapper highlighted.](/img/setup-keycloak-sync-9.png)
Give your mapper a claim name, this must match the "Group Field JSON Path" in Unleash, and turn off the "Full group path" option.
![The Keycloak mapper options screen with the Token Claim Name and Full Group Path elements highlighted.](/img/setup-keycloak-sync-10.png)
## Unleash Configuration
### Step 1: Navigate to the Unleash SSO Configuration {#unleash-step-1}
Log in to Unleash as an admin user and navigate to the SSO configuration. Input your Client Secret (copied in step 3 of the Keycloak configuration), your Discover URL (copied in step 4 of the Keycloak configuration), and the Client ID (from step 2 of the Keycloak configuration).
![The Unleash SSO configuration screen with Client ID, Client Secret and Discover URL highlighted.](/img/setup-keycloak-sync-11.png)
### Step 2: Enable Group Syncing {#unleash-step-2}
Turn on Group Syncing and set a value for "Group Field JSON Path". This must match the value in claim name in Keycloak exactly. Save your configuration.
![The Unleash SSO configuration screen with the Enable Group Syncing and Group Field JSON Path highlighted.](/img/setup-keycloak-sync-12.png)
### Step 3: Enable Group Syncing for your Group {#unleash-step-3}
Navigate to Groups and select the group that you want to sync.
![The Groups page with a group element highlighted.](/img/setup-keycloak-sync-13.png)
Edit the group.
![The Group page with the Edit group element highlighted.](/img/setup-keycloak-sync-14.png)
Add as many SSO groups as you like. These need to match the Keycloak groups exactly.
![The edit group page with the add SSO group element highlighted.](/img/setup-keycloak-sync-15.png)
Save your configuration. Once a user belonging to one of these Keycloak groups logs in through SSO, they'll be automatically added to this Unleash group.