HPE Community
HPE Morpheus Enterprise Software
1856351 Members
13144 Online
104111 Solutions
New Discussion

KeyCloack Role Mapping With Morpheus Data

 
Not applicable

‎08-27-2024 02:56 AM

‎08-27-2024 02:56 AM

KeyCloack Role Mapping With Morpheus Data

I’ve integrated Keycloak SAML SSO with morpheusdata and I’m a bit confused about how to map Keycloak roles to Morpheus data roles. Could someone explain the following role mapping fields and provide guidance on how to create user roles in Keycloak for mapping with Morpheus data roles?

ad77cd6fc51c181064ad24e4ef88960d873d6b7d.png

0 Kudos
Reply
9 REPLIES 9
Not applicable

‎08-27-2024 10:05 PM

‎08-27-2024 10:05 PM

Re: KeyCloack Role Mapping With Morpheus Data

Thank you for the responses, I will try the above solutions…

0 Kudos
Reply
Not applicable

‎08-28-2024 05:36 AM

‎08-28-2024 05:36 AM

Re: KeyCloack Role Mapping With Morpheus Data

@morpheususer, this is unrelated, but I am having trouble with keycloak logouts.

could you supply the /realms… onward portion of your logout post URL field in morpheus?

Thanks!

0 Kudos
Reply
Not applicable

‎08-28-2024 06:08 AM

‎08-28-2024 06:08 AM

Re: KeyCloack Role Mapping With Morpheus Data

Thanks for the guidance will surely look into it

0 Kudos
Reply
Not applicable

‎08-28-2024 03:40 AM

‎08-28-2024 03:40 AM

Re: KeyCloack Role Mapping With Morpheus Data

Hey can you please more elaborate how you map these group mapper vaules into morpheus data like can you give example of how you set those in the configuration of morpheus data
ddb02223f54e1610c250119262f651957ff24ca3.png
Thankyou.

0 Kudos
Reply
Not applicable

‎08-28-2024 05:47 AM

‎08-28-2024 05:47 AM

Re: KeyCloack Role Mapping With Morpheus Data

I have already set group names as you have said…Actually the point where I’m stuck or confusing me is “Required Role Attribute Value”…Thankyou

0 Kudos
Reply
rbmorph
HPE Pro

‎08-28-2024 05:30 AM

‎08-28-2024 05:30 AM

Re: KeyCloack Role Mapping With Morpheus Data

You will need to set the “Role Attribute Name” to the “SAML Attribute Name” from Keycloak. Then for each Morpheus Role you will set them to the group that is sent as part of the mapping from Keycloak. In the case of your screenshot you have 2 roles in Morpheus. System Admin Role and User Admin Role. You would need to set these to the Group name that is sent. As @kgawronski stated, you can confirm what is being sent by using the SAML Chrome Panel or other similar tool.

0 Kudos
Reply
KoreyG
HPE Pro

‎08-28-2024 06:00 AM

‎08-28-2024 06:00 AM

Re: KeyCloack Role Mapping With Morpheus Data

The “Required Role Attribute Value” would be populated similar to the values you’d enter in the other Morpheus roles boxes. However, this field is used to determine a Keycloak role that all the users MUST be in or they will get an access denied error when logging in.

You can omit the “Required Role Attribute Value” and everyone that authenticates with your SSO will be able to login to Morpheus. When users login this way, the “Default Role” would be applied, which some customers either set a baseline that everyone in the company should have access or they set a “No Access” role, with all permissions removed so the user can only edit their user settings.

If the user is also part of additional Keycloak roles and they are mapped to Morpheus roles, then those would also apply additively.

Here is some additional documentation:
https://docs.morpheusdata.com/en/latest/integration_guides/IdentityManagement/saml.html#role-mappings

I’d recommend opening a technical request if you are having continued issues, I think that would be the best way to help resolve this. Contact your account manager for additional questions on opening a technical request.

0 Kudos
Reply
KoreyG
HPE Pro

‎08-27-2024 06:40 AM

‎08-27-2024 06:40 AM

Re: KeyCloack Role Mapping With Morpheus Data

Hello @morpheususer!

Unfortunately, we can’t provide specifics around configuring the individual SSO providers. That said, they are all generally the same in terms of what needs to be done, just each one does it differently.

From experience, Okta and Azure use “Groups” and OneLogin uses “Roles”, sounds like the terminology in Keycloak is also “Roles”. In these cases, they are the same thing, a construct in those systems that you add users to. Morpheus can key off those or other claims that are configured for your authenticated users, groups/roles tend to be more common.

Confirm that the claim name is being sent via your SSO is “Role” (matching your screenshot) and the value coming across for the “Role” is of values “admin” or “users”. I’d recommend using a tool such as SAML Chrome Panel extension (if using Chrome) to be able to inspect the SSO payload.

Here is an example from my login to Okta and inspecting it with SAML Chrome Panel and the claims sent:

00b43413d3256d8f268fb2162d9fa3dbbef311c1.png

720cb97c48c404fd25f7bbee173fbafa9b8a5668.png

abce37fe5504ac18349addad771323b1f056b68d.png

If you need additional assistance, I’d recommend opening a technical request and we’ll be able to work with you to help sort it all out. Contact your account manager for additional questions on opening a technical request.

Hope that helps!

Reply
rbmorph
HPE Pro

‎08-27-2024 06:58 AM

‎08-27-2024 06:58 AM

Re: KeyCloack Role Mapping With Morpheus Data

Just to add, it looks like you can define the attributes on the client in Keycloak by creating Mappers similar to the screenshot below.
You can refer to the Keycloak docs on mappers here if needed. Server Administration Guide

de1d1de2756df27d836086f4c92861deefb1951f.png

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.