KeyCloak LDAP Role mapper with AD groups - active-directory

I have a KeyCloak LDAP federation question.
Using LDAP Federation I am trying to map specific AD groups to one specific KeyCloak role.
Example
Fido belongs to the AD Group "Dogs"
(LDAP:memberOf:cn=dogs,cn=users,dc=test,dc=com)
Fluffy belongs to the AD Group "Cats"
(LDAP:memberOf:cn=cats,cn=users,dc=test,dc=com)
I can get LDAP Federation to create the "cats" and "dogs" roles but what I really want to do in keycloak is have a role called "animals" that both fluffy and fido are assigned to.
Is this possible using the role-ldap-mapper?
Is there another way to do this?

Is this possible using the role-ldap-mapper? Is there another way to
do this?
First you need to map those groups "cats" and "dogs" from LDAP into roles in Keycloak, for that you can use the role-ldap-mapper Mapper. During the creation of those Mappers, after saving click on "Sync LDAP Roles to Keycloak".
After you have successfully import those roles into keycloak for each of the imported roles (i.e., cat and dog):
Go to Roles;
Click on the role in question;
Switch "Composite Roles" to ON
Select the role Animals (I am assuming that you have already created that role in Keycloak, otherwise do so);
Click on "Add selected"
Next time a user with the role Cats or Dogs from LDAP authenticates with Keycloak, the role Animals will show up in the token as well.

Related

Map groups to roles in Keycloak when using OIDC - Roles are not appending based on new Groups

I mapped AD groups to roles using Mappers. When I login with test user(with ADGroup1, ADGroup2),
In the Keycloak logged-in user's mapper roles (role1, role2) are assigned correctly.
When I remove a user from an AD group (-ADGroup2) in Azure. It was deleting role (-role2) in Keycloak after logging in again.
I tried to add the AD group (ADGroup2) back again. It was not an appending role again. Seeing only role1.
Mapper is configured as below:
ADGroup1 ==> test_client.role1
ADGroup2 ==> test_client.role2
If I delete both AD groups, user roles are also deleted in Keycloak. only appending is the problem.
thank you for posting your query. This seems like a user data sync delay. Could you please try to have "Sync Mode Override" to "force". This would update user data at each user login. Ref: https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/identity-broker/mappers.adoc
Thanks

Getting user role in Team or channel

I have a Microsoft Teams group tab and I'd like to implement a permission system in which users can do different things in the tab depending on their role in the team (or channel). The context I get from the Teams JavaScript API cannot be trusted, so I have to check group/team/channel role through the MS Graph API.
The only way I've found to check whether a user is an owner or only a member of a team is to call /teams/{groupId}/channels/{channelId}/members. In the response I can see which roles users have and I so I can find out if the current user has owner privileges.
The problem is that this endpoint requires admin consent (I guess because it displays data of other users). I'd like to avoid having to ask for admin consent, however. Is there another way of finding out about the role of a user in a team without admin consent? (As private channels behave differently in Teams, this would be the same as finding out about the role in a channel)
I know that I can get if a user is in a group through the optional group claims that are added to the ID token but this doesn't include the rule inside the group/team/channel.
To read a user's role in a channel currently requires admin consent, the permission needed is ChannelMember.Read.All see list conversation member documentation here. Admin consent is also required to get a member of a team or list members in a team. For your particular use case, I would recommend asking your admin to grant these permissions.

Add RoleAssignment to a Resource Group programmatically

I'm implementing an application in Java that has access to Azure via a secure principal and that creates some Resource Groups.
I would like, given an AD Group Name specified via configuration, to add a specific Role Assignment for that AD Group to the Resource Groups.
Is it feasible via Azure Java SDK or I need to use REST APIs?
Which permissions the service principal needs to:
Read an AD group given its name
Assign a RolePermission to a newly created Resource Group for that AD Group
I need to ask to our ActiveDirectory team which permission must be enabled to my Service principal.
TIA
Best regards
I don't know if we can use java sdk to implement this requirement, but I know we can request rest api to do it. Please refer to the steps below:
1. We need to get the id of the role definition by request this api: GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
The URI parameter {scope} should be like /subscriptions/{your subscription id}/resourceGroups/{your resource group name}
For example, here I get the id of "Contributor" role.
2. Then request this api: PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01 to create role assignment(assign the role for resource group contributor to your ad group).
The {scope} should be /subscriptions/{your subscription id}/resourceGroups/{your resource group name} and you can specify a {roleAssignmentName} as you like(should be valid GUID).
The request body should be like below:
{
properties: {
"roleDefinitionId": "{the id of Contributor role which we get in step 1}",
"principalId": "{the object id of your AD group}"
}
}
3. Finish the two apis request above, we can find the AD group has been assigned with the role of "Contributor" for the resource group.

Emit role's permissions as claims in JWT with AAD (Azure AD)

I need to emit a role's permissions as claims in the JWT.
The aim is to get a certain user's permissions as claims in the JWT for authorization purposes.
The user belongs to a group which is assocciated to a certain role which has certain permissions in the Azure Active Directory.
Clarification:
If I add some items to the appRoles array in the app's manifest, the role names are emitted as role-type claims in the JWT in the following format:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: [value property in the appRole item as appears int he manifest appRoles array]
But I couldn't find any way to emit role's permissions' names (or any other property) as claims.
I've been googling and digging in MS docs for days but couldn't find anything. I hope that it's possible.
If it isn't possible, a clumsy workaround may be to represent the permission we need to be emitted as an AAD role, and to represent the role (in the meaning of "a set of permissions") as an AAD special group, and then to associate the groups we wanted to be associated with the role (in an ideal world) to that special "role"-group.
But it's very clumsy as we will actually lose the natural meaning of role which is a set of permissions, and the natural meaning of group which is a set of users and/or groups
Thanks for any help :)
The value property is the custom role name you configured and will be returned in JWT. It's by design.
The permission name won't be returned in the JWT. After you have added an appRole into the Azure AD app, you need to assign users and groups to the role.
You need to add the needed permissions in Azure AD APP and then control the permissions in your code.
We assume you have assigned a custom role in an Azure AD app and added a user to this role.
When a user signs in, a token which includes the role claim will be returned. You can judge the user's role in the code. If it matches a custom appRole, he is allowed to perform an operation. If the user does not match any of the appRoles, he does not have permission to perform any operations.

Restricting claims in Azure App Registration?

Within Azure Active Directory, I have created an App Registration.
For most users, this works great. They can login to my application via federating in from Azure AD, and their claims are coming through.
For some users, however, they have over 150 group memberships in Azure AD. For them, they receive an HTTP 400 bad request. I've increased the maxRequestBytes and maxFieldLength of my server according to this post: https://support.microsoft.com/en-us/help/820129/http-sys-registry-settings-for-windows, but it didn't solve the issue for all users. Some received access after this, but there's a handful that still cannot login.
My application only has ~10 groups in Azure AD that it cares about. I customized my App Registration's manifest to have "groupMembershipClaims": "SecurityGroup".
Is there a way I can restrict the claims coming out of Azure AD to only the 10 groups that I care about?
Per my understanding, this issue is due to too many groups claim in some your Azure AD user access token and you want to limit the group claims.
As far as I know, there is no way to do that. But there will be two workarounds here :
1. this official doc which indicated claims about groups and hasgroups, maybe provides some tips to handle your scenario. As the doc indicated, it suggested you to call an API to fetch all user groups if a user has too many group claims.
In your scenario, you will need to check about 10 groups membership with a user. To avoid the issue that too many group claims in your user's token, you can just remove group claims in token and check groups membership with a user with this API.
2. Using Azure AD app roles claim instead of groups claim. In Azure AD application, we can create Add app roles and assign the role to users or groups. Once be assigned the role , role claim will be added in users' token.
As you only care about 10 groups, you can create corresponding app roles and assign the roles to your groups that you cared about(i,e role1 assign to group1).With this,users in groups will have corresponding role claim(i,e , users in group1 will have a role claim:role1) so that we can use this claim to replace groups claim .
What's more
except for increasing maxRequestBytes and maxFieldLength of your server, you can try to modify maxAllowedContentLength , details see this post .

Resources