Overview
External groups mapping allows you to integrate Conduktor’s RBAC system with your LDAP or OIDC source of truth. When you map an external group, the user is added to the Conduktor Console group at login. This ensures that users inherit necessary group permissions and that they are removed from Conduktor groups if their external membership changes.Prerequisites
You have to configure SSO to an LDAP or OAuth2.0 identity provider. In addition to the properties required for the default configuration, you have to also add the relevant group properties and create the scope in your IdP.LDAP
For LDAP, populate thegroups-base
and groups-filter
attributes.
platform-config.yaml
OIDC
For OIDC, populate thegroups-claim
attribute. You can find some examples by selecting your identity providers.
platform-config.yaml
Create an external group mapping
Once LDAP or OIDC are configured, you can create the mapping between external and Conduktor groups. You have two options, map an existing or a new Conduktor group to an external one.Map an existing group to an external one
In Console, go to Groups page and click … at the top-right and select Map external groups. The External groups tab will be open allowing you to manage this list. The value set depends on the IdP you use. For example, for Azure, you have put theObject ID
of your groups. For Keycloak, this is the name of the group.
Once you’ve mapped the external groups, use Conduktor’s RBAC to enforce permissions.