I’ve integrated Keycloak SAML SSO with morpheusdata and I’m a bit confused about how to map Keycloak roles to Morpheus data roles. Could someone explain the following role mapping fields and provide guidance on how to create user roles in Keycloak for mapping with Morpheus data roles?
Hello @morpheususer!
Unfortunately, we can’t provide specifics around configuring the individual SSO providers. That said, they are all generally the same in terms of what needs to be done, just each one does it differently.
From experience, Okta and Azure use “Groups” and OneLogin uses “Roles”, sounds like the terminology in Keycloak is also “Roles”. In these cases, they are the same thing, a construct in those systems that you add users to. Morpheus can key off those or other claims that are configured for your authenticated users, groups/roles tend to be more common.
Confirm that the claim name is being sent via your SSO is “Role” (matching your screenshot) and the value coming across for the “Role” is of values “admin” or “users”. I’d recommend using a tool such as SAML Chrome Panel extension (if using Chrome) to be able to inspect the SSO payload.
Here is an example from my login to Okta and inspecting it with SAML Chrome Panel and the claims sent:
If you need additional assistance, I’d recommend opening a technical request and we’ll be able to work with you to help sort it all out. Contact your account manager for additional questions on opening a technical request.
Hope that helps!
1 Like
Just to add, it looks like you can define the attributes on the client in Keycloak by creating Mappers similar to the screenshot below.
You can refer to the Keycloak docs on mappers here if needed. Server Administration Guide
1 Like
Thank you for the responses, I will try the above solutions…
Hey can you please more elaborate how you map these group mapper vaules into morpheus data like can you give example of how you set those in the configuration of morpheus data
Thankyou.
You will need to set the “Role Attribute Name” to the “SAML Attribute Name” from Keycloak. Then for each Morpheus Role you will set them to the group that is sent as part of the mapping from Keycloak. In the case of your screenshot you have 2 roles in Morpheus. System Admin Role and User Admin Role. You would need to set these to the Group name that is sent. As @kgawronski stated, you can confirm what is being sent by using the SAML Chrome Panel or other similar tool.
@morpheususer, this is unrelated, but I am having trouble with keycloak logouts.
could you supply the /realms… onward portion of your logout post URL field in morpheus?
Thanks!
I have already set group names as you have said…Actually the point where I’m stuck or confusing me is “Required Role Attribute Value”…Thankyou
The “Required Role Attribute Value” would be populated similar to the values you’d enter in the other Morpheus roles boxes. However, this field is used to determine a Keycloak role that all the users MUST be in or they will get an access denied error when logging in.
You can omit the “Required Role Attribute Value” and everyone that authenticates with your SSO will be able to login to Morpheus. When users login this way, the “Default Role” would be applied, which some customers either set a baseline that everyone in the company should have access or they set a “No Access” role, with all permissions removed so the user can only edit their user settings.
If the user is also part of additional Keycloak roles and they are mapped to Morpheus roles, then those would also apply additively.
Here is some additional documentation:
https://docs.morpheusdata.com/en/latest/integration_guides/IdentityManagement/saml.html#role-mappings
I’d recommend opening a technical request if you are having continued issues, I think that would be the best way to help resolve this. Contact your account manager for additional questions on opening a technical request.
Thanks for the guidance will surely look into it