Hi everybody,
We are making use of keycloak as an external SAML SSO identity source for our morpheus implementation
and we made the necessary keycloak client roles ↔ morpheus roles mapping in the identity source configuration.
On the fisrt sign of our users, morpheus user definition and its corresponding accorded roles are well sychronised with the mappings.
We noticed that after the first user sign in, if the user role assignment changes on keycloak, the changes are not applied on morpheus user definition.
The workaround that we found, consisted of deleting the user from morpheus before changing role assignement on keycloak. this workaround has its own limitations and compromises.
The question is : did we miss something about the external identity source configuration ? is there a way to make morpheus user definition update dynamically if keycloak user role assignement
changes ?
I think… that with the SSO providers, user must sign out and log in again for updated group/role mappings to be applied. Nothing will change while in the “logged-in” session.
that’s the normal course of events. we tested logging out → new login after role association is modified on keycloak yet it didn’t work: the user’s role association on morpheus side didn’t get updated.
Hi @mlajnef, I hope you are well today!
As @Ollie_Phillips mentioned, it should update upon each login. Here is an example using Azure as SAML SSO:
Initial role mappings using the Azure group object ID:
With the user in the group, they get this:
After removing them from the Azure group, they get this:
While I can’t speak for Keycloak directly, as each SSO platform configures differently, I can provide some general thoughts to check, regardless of SAML provider.
-
I’d recommend setting the SAML LOGOUT REDIRECT URL in the SSO configuration to the logout URL of your IDP. It is possible that when the user is logging out of Morpheus, they are not logging out of your SSO. If not, it could mean they still have their original tokens cached from your SSO provider being presented. They provide those values and we accept them. Alternatively, most SSO providers have a page you can go to and log yourself out of it, if this is a test user, you could force sign yourself out then log back into Morpheus, which you should get prompted by your SSO provider and new tokens would be received.
This will log the user out of all their SSO sessions for all apps, unless your provider allows for a logout URL per app, so it just logs you out of that one.
-
Using a test user, you can use extensions for Chrome such as SAML Chrome Panel, there are others for other browsers too. This will let you inspect the test users claims to see what is being presented from your SSO, which should be configured for your ROLE ATTRIBUTE NAME in the SSO configuration. For example, my test user is in 3 Azure groups, which you can see here but note that different SSO providers can use different claim names and might not match what is in my screenshot:
Although I used Azure as the example above, I’ve tested the same using Okta as the SAML SSO configuration.
Feel free to share more here if we can help. If using a tool such as SAML Chrome Panel and you see for sure that your old claims are gone and only the new are listed, then it may be a good idea to open a support case.
Hope that helps!
