How to map KeyCloak groups with OpenSearch?

Hi There!,

Is there any way to map KeyCloak groups within OpenSearch. Following guidance I was able to configure the OpenSearch KeyCloak integration as well as map the OpenSearch roles with the backend roles (i.e. the KeyCloak roles). Now with my further exploration I wanted to understand is there any way to configure mapping between KeyCloak Groups & OpenSearch.

Configuration:
I’ve current setup in my local machine for KeyCloak & Opensearch in docker.

Hi @vishal.gilbile,

Yes, that is possible, you will need to pass groups with your token from Keycloak and map it in your config.yml openid_auth_domain.http_authenticator.config.roles_key:<name of the key for your groups>.

Best,
Mantas

the below setup worked for me in my lab passing groups to OpenSearch backend_roles:
image
image




config.yml
openid_auth_domain.http_authenticator.config.roles_key: groups

let me know if you need some clarification.

Best,
Mantas

Thanks for the input @Mantas; following your instructions I’m able to see my KeyCloak Groups inside the OpenSearch as Backend roles.

image

However now I don’t see the KeyCloak roles as my Backend roles in OpenSearch. Is there any way to configure both I mean KeyCloak groups as well as roles. So that if any RBAC is created over the roles we can have that implemented over here in OpenSearch & same goes to Groups as well.

Hi @vishal.gilbile,

You can not have roles_key configured to multiple values, if you want to have both the groups and the roles mapped to your users’ backend_roles you will need to find how to pass both groups and, roles in the single claim in the JWT payload, that you could map to roles_key.

Best,
Mantas

Hi @Mantas .

How can this be implemented in keycloak version 21?

In client scope “roles”, Tab Mappers, create group membership type or use custom mapper like “User Attribute”?

Keycloak/OIDC : retrieve user groups attributes

Hi @ActiveSync,

That is a good question, however, this would be completely up to the ipd (keycloak in your case).
I would say a good place to start looking for the answer would be: keycloak/keycloak · Discussions · GitHub or

If you find a solution please do let me know, if I stumble on one I will update you here.

thanks,
mj