Skip to main content

Overview

Starting with version 2.2.0 of the Authsignal Keycloak provider, Keycloak user groups and roles are automatically sent to Authsignal as custom data points. This enables you to create authentication rules based on user permissions and group memberships without requiring any code changes.

Feature overview

The authenticator automatically passes three custom data points to Authsignal:
  • keycloakGroups - Contains all groups the user belongs to
  • keycloakRoles - Contains all realm-level roles assigned to the user
  • keycloakClientRoles - Contains all client-level roles assigned to the user
This feature requires version 2.2.0 or later of the Authsignal Keycloak provider. The data is sent automatically with no additional configuration needed in Keycloak.

Setup instructions

1. Configure custom data points in Authsignal

To use Keycloak groups and roles in your authentication rules, create the corresponding custom data points in the Authsignal portal. You only need to create the data points you plan to use in your rules—you can create one, two, or all three depending on your needs.
1

Navigate to custom data points

Go to Settings > Rules > Custom data points in the Authsignal Portal.
2

Create custom data points as needed

For each data point you want to use, click Create data point and configure one or more of the following:
  • keycloakGroups
    • Type: Multiselect
    • Description: Keycloak groups the user belongs to
  • keycloakRoles
    • Type: Multiselect
    • Description: Realm-level roles assigned to the user
  • keycloakClientRoles
    • Type: Multiselect
    • Description: Client-level roles assigned to the user
You only need to create the custom data points you plan to reference in your rules. If you’re only using groups, for example, you only need to create keycloakGroups.

2. Create rules using the custom data

Once the custom data points are configured, you can use them in your authentication rules:
1

Navigate to rules

Go to the Rules section in the Authsignal Portal for your action.
2

Create or edit a rule

Create a new rule or edit an existing one.
3

Add conditions using custom data

In the Conditions section, click Add feature, then select one of your Keycloak custom data points from the Custom tab.
4

Configure the condition

Set the operation (e.g., “contains”) and specify the group or role name to match.
5

Save the rule

Click Save to apply your rule.

Use case examples

Here are practical examples of how you can use Keycloak groups and roles in your authentication rules: Example 1: Require MFA for admin group
  • Condition: If keycloakGroups contains “Admin”
  • Action: Always challenge with MFA
  • Use case: Ensure administrators always complete multi-factor authentication for enhanced security
Example 2: Step-up authentication for privileged roles
  • Condition: If keycloakRoles contains “Finance” OR “Executive”
  • Action: Require passkey authentication
  • Use case: Require stronger authentication methods for users with access to sensitive financial data