Skip to main content
Quick navigation

External Group Sync

Overview

External group synchronization allows you to integrate Conduktor's RBAC system with your LDAP or OIDC source of truth. When you map an external group, it will ensure a user is added to the Conduktor Console group at login. This mechanism ensures a user inherits necessary group permissions, and that they are removed accordingly from Conduktor groups if their external membership changes.

Prerequisites

You must first configure SSO to an LDAP or OAuth2.0 identity provider. In addition to the properties required for the default configuration, you must also add the relevant group properties.

LDAP

For LDAP, populate the groups-base and groups-filter attributes. For more information see configuration properties and environment variables.

  ldap:
    - name: "default"
      server: "ldap://ldap.test.io:1389"
      managerDn: "cn=admin,dc=conduktor,dc=io"
      managerPassword: "pass"
      search-base: "dc=conduktor,dc=io"
      groups-base: "dc=conduktor,dc=io"
      groups-filter: "member={0}"

OIDC

For OIDC, populate the groups-claim attribute. For more information see configuration properties and environment variables.

sso:
  oauth2:
    - name: 'azure'
      default: true
      client-id: ${AZURE_APPLICATION_ID}
      client-secret: ${AZURE_CLIENT_SECRET}
      openid:
        issuer: https://login.microsoftonline.com/{tenantid}/v2.0
      groups-claim: ${GROUPS_CLAIM}

Azure AD example

For Azure AD, you can create this claim in the 'Token configuration' tab within your App registration. Click on Add groups claim.

Then select Security groups as group type to include, and ensure that the token property is Group ID for each type.

You can see that the claim name is groups, so you can add the following line in you configuration file: groups-claim: "groups".

Please note: If you have a larger number of groups within your enterprise you may need to use the "Groups assigned to the application" option in the "Select Group Types" tab. This is in order to avoid exceeding the limit on the number of groups a token can emit. See further documentation from on utlising this within Azure here.

Create a Group Mapping

Now that LDAP or OIDC is configured to map groups, you can now create a sync between an external group and a Conduktor group. You can:

  • Create a new Conduktor group with an external group mapping(s)
  • Map an existing Conduktor group to an external group(s)

Create a new group with an external group mapping

From within Admin, navigate to the Members screen and select the Groups tab.

  • Provide the Name, Description and select Activate external groups mapping
  • Provide 1 or more LDAP/OIDC groups to create a sync

In the above example, any users that are present in the externally mapped groups will inherit permissions that are set against the Conduktor group 'Platform Engineering'. To learn how to use Conduktor's RBAC system to enforce permissions, see RBAC.

Map an existing Conduktor group to an external group

From within the Members screen, select the breadcrumbs next to an existing group and select 'Map external group'.

The value to set depends on the IdP you use. For example, for Azure, you must put the Object ID of your groups. For Keycloak, this is the name of the group.

Once you have mapped external groups, use Conduktor's RBAC system to enforce permissions.