diff --git a/docs/docs-content/user-management/saml-sso/palette-sso-with-keycloak.md b/docs/docs-content/user-management/saml-sso/palette-sso-with-keycloak.md index 1666eff775..894cd1d0c1 100644 --- a/docs/docs-content/user-management/saml-sso/palette-sso-with-keycloak.md +++ b/docs/docs-content/user-management/saml-sso/palette-sso-with-keycloak.md @@ -137,6 +137,7 @@ up Keycloak as an OIDC provider for Palette. ![Client Authentication creation screen number two](/keycloak/user-management_saml-sso_keycloak-05-client-authentication.webp "Client Authentication") + 11. Fill out the following fields with the instructions provided in the table. | **Field** | **Description** | @@ -206,16 +207,40 @@ Use the following steps to validate the SSO configuration. ![alt_text](/keycloak/user-management_saml-sso_keycloak-15-palette-project.webp "Palette Project") -4. From the left **Main Menu**, select **Tenant Settings**. Next, click on **SSO** to access the SSO configuration page. + +### Sync Keycloak Groups and Palette Teams + +1. Switch back to the Keycloak admin console and modify the **profile** Client Scope. Navigate to the left **Main Menu** and + select **Client Scope**. Click on the **Profile** button. + + ![Image of keycloak mappers highlighted](/keycloak/user-management_oidc-sso-keycloak-19-keycloak-client-scopes.webp "Palette Project") + +2. Within the **profile** Client scope details, click **Mappers**, then **Add mapper** and **By configuration**. + +3. Navigate to **Group Membership** in the Configure a new mapper modal. + +4. Next, ensure the **Name** and **Token Claim Name** fields are both **groups**. + + ![Image of keycloak client scopes highlighted](/keycloak/user-management_oidc-sso-keycloak-20-keycloak-mapper.webp "Palette Project") + +5. Deselect the radio button for **Full group path**. + +6. Save the add mapper page. + +You have now ensured that the groups for the Keycloak user are within the token attributes, ensure the Keycloak group and the Palette group match. + +### Default Teams + +1. From the left **Main Menu**, select **Tenant Settings**. Next, click on **SSO** to access the SSO configuration page. Click on the **OIDC** tab to access the OIDC configuration page. Scroll down to the **SSO Admins** section and select the **admins** team from the **Default Team** drop-down Menu. Click on **Save**. -5. Navigate back to the Keycloak admin console. From the left **Main Menu** click on **Users**. Create a user and ensure +2. Navigate back to the Keycloak admin console. From the left **Main Menu** click on **Users**. Create a user and ensure the field **Username**, **Email**, and **First Name** are filled out. Click on **Save** to save the user. ![alt_text](/keycloak/user-management_saml-sso_keycloak-17-keycloak-user.webp "Keycloak user") -6. Next, click on the **Credentials** tab and assign the user password. +3. Next, click on the **Credentials** tab and assign the user password. ![alt_text](/keycloak/user-management_saml-sso_keycloak-18-keycloak-password.webp "Keycloak password") @@ -225,6 +250,7 @@ out the [Creating users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide) guide to learn how to create users in Keycloak. + ## Resources - [Keycloak Documentation](https://www.keycloak.org/documentation) diff --git a/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-19-keycloak-client-scopes.webp b/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-19-keycloak-client-scopes.webp new file mode 100644 index 0000000000..6e5197f0c5 Binary files /dev/null and b/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-19-keycloak-client-scopes.webp differ diff --git a/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-20-keycloak-mapper.webp b/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-20-keycloak-mapper.webp new file mode 100644 index 0000000000..94d1e4454d Binary files /dev/null and b/static/assets/docs/images/keycloak/user-management_oidc-sso-keycloak-20-keycloak-mapper.webp differ