OpenID Connect Authenticator keycloak group synchronisation to xwiki groups

Help / Discuss
#1

The environment that we have setup is this:

  • Keycloak with one realm with all users from several companies
  • XWiki with subwikis
  • OpenID integation between Xwiki and Keycloak

What I would like is that users in a subwiki are automatically recognized by their company-domain (email) ie by using an filter. I know such thing exists with the ldap configuration.

Is this possible or do I have to go the way to use Keycloak Usergroups and map the users that way to xwikI?

#2

There is no equivalent to xwiki.authentication.ldap.remoteUserMapping in the OIDC authenticator if that’s what you have in mind. So yes, the only way to have a user end up in a specific XWiki group automatically is for this group to be mapped with an OIDC provider side group this user is part of.

#3

Ok, thanks.

Some questions to get that working. The users do not appear now in my xwiki group

  1. Do I have to map Keycloak group on a local group or on global group? I have now made both.
  2. I have used this configuration. And have named it this way in keycloak an xwiki:
    oidc.groups.mapping=41ca13be-83bc-4444-8bd1-454f215dd1a3=41ca13be-83bc-4444-8bd1-454f215dd1a3

This is my oidc logging (except urls and secrets)

oidc.scope=openid,profile,email,address
oidc.endpoint.userinfo.method=GET
oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
oidc.user.subjectFormater=${oidc.user.subject}
#oidc.groups.claim=xwiki_groups
oidc.groups.mapping=41ca13be-83bc-4444-8bd1-454f215dd1a3=41ca13be-83bc-4444-8bd1-454f215dd1a3
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
# oidc.groups.allowed=
# oidc.groups.forbidden=
oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype

Do you have suggestion wat to do to got this working?

#4

Seems to work now. Was a strange slash in our group-names in keycloak.

Here the changed parts

oidc.scope=openid,profile,email,address,xwiki_groups
oidc.endpoint.userinfo.method=GET
oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
oidc.user.subjectFormater=${oidc.user.subject}
oidc.groups.claim=xwiki_groups
oidc.groups.mapping=41ca13be-83bc-4444-8bd1-454f215dd1a3=/41ca13be-83bc-4444-8bd1-454f215dd1a3
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
# oidc.groups.allowed=
# oidc.groups.forbidden=
oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype,xwiki_groups
#5

Btw: the groups are not automatically created, but the mapping is done on that guid thing.