Keycloak 26.2.5 : Active Directory groups and Applications roles
69 views
Skip to first unread message
Tabsil Taws
Jul 4, 2025, 5:26:59 AM7/4/25
to Keycloak User
Hello,
I recently installed Keycloak 26.2.5 and created a test realm.
I configured a connection to Active Directory (AD) as the user federation source.
I also imported AD groups (in a flat structure).
Additionally, I installed a custom theme for the login and the account UI.
I created five applications (clients) in the realm.
What I want to achieve:
Create roles linked to each application
Map these roles to corresponding Active Directory groups
For example:
App A <------> Role A <------> AD Group A
App B <------> Role B <------> AD Group B
So that when a user from AD Group A logs in, they see App A in their list of applications.
And if a user is part of both AD Group A and B, they will see both App A and App B in the Account Console → Applications section.
Of course, each application has its own internal access logic.
I tried to configure this setup, but it doesn't seem to work as expected.
My questions:
Is this kind of setup possible in Keycloak?
Is there any guide or documentation explaining how to achieve this?
I use another access management tool where this is easily configured, but I haven't been able to do the same with Keycloak.
Thank you.
I recently installed Keycloak 26.2.5 and created a test realm.
I configured a connection to Active Directory (AD) as the user federation source.
I also imported AD groups (in a flat structure).
Additionally, I installed a custom theme for the login and the account UI.
I created five applications (clients) in the realm.
What I want to achieve:
Create roles linked to each application
Map these roles to corresponding Active Directory groups
For example:
App A <------> Role A <------> AD Group A
App B <------> Role B <------> AD Group B
So that when a user from AD Group A logs in, they see App A in their list of applications.
And if a user is part of both AD Group A and B, they will see both App A and App B in the Account Console → Applications section.
Of course, each application has its own internal access logic.
I tried to configure this setup, but it doesn't seem to work as expected.
My questions:
Is this kind of setup possible in Keycloak?
Is there any guide or documentation explaining how to achieve this?
I use another access management tool where this is easily configured, but I haven't been able to do the same with Keycloak.
Thank you.
Reply all
Reply to author
Forward
0 new messages