> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Keycloak groups and roles in authentication rules

> Learn how to use Keycloak groups and roles in Authsignal authentication rules.

## Overview

Starting with version 2.2.0 of the Authsignal Keycloak provider, Keycloak user groups and roles are automatically sent to Authsignal as [custom data points](/actions-rules/rules/custom-data-points). This enables you to create authentication rules based on user permissions and group memberships without requiring any code changes.

<Frame caption="Using Keycloak groups and roles in authentication rules.">
  <iframe width="100%" height="400" src="https://www.youtube.com/embed/o_zk-_IazYw" title="Using Keycloak groups and roles in authentication rules" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen />
</Frame>

### Feature overview

The authenticator automatically passes three custom data points to Authsignal:

* **`keycloakGroups`** - Contains all groups the user belongs to
* **`keycloakRoles`** - Contains all realm-level roles assigned to the user
* **`keycloakClientRoles`** - Contains all client-level roles assigned to the user

<Info>
  This feature requires version 2.2.0 or later of the Authsignal Keycloak provider. The data is sent automatically with no additional configuration needed in Keycloak.
</Info>

## Setup instructions

### 1. Configure custom data points in Authsignal

To use Keycloak groups and roles in your authentication rules, create the corresponding [custom data points](/actions-rules/rules/custom-data-points) in the Authsignal portal. You only need to create the data points you plan to use in your rules—you can create one, two, or all three depending on your needs.

<Steps>
  <Step title="Navigate to custom data points">
    Go to [Settings > Rules > Custom data points](https://portal.authsignal.com/organisations/tenants/custom_data_points) in the Authsignal Portal.
  </Step>

  <Step title="Create custom data points as needed">
    For each data point you want to use, click **Create data point** and configure one or more of the following:

    * **keycloakGroups**
      * **Type:** Multiselect
      * **Description:** Keycloak groups the user belongs to

    * **keycloakRoles**
      * **Type:** Multiselect
      * **Description:** Realm-level roles assigned to the user

    * **keycloakClientRoles**
      * **Type:** Multiselect
      * **Description:** Client-level roles assigned to the user

    <Note>
      You only need to create the [custom data points](/actions-rules/rules/custom-data-points) you plan to reference in your rules. If you're only using groups, for example, you only need to create `keycloakGroups`.
    </Note>
  </Step>
</Steps>

### 2. Create rules using the custom data

Once the custom data points are configured, you can use them in your authentication rules:

<Steps>
  <Step title="Navigate to rules">
    Go to the **Rules** section in the Authsignal Portal for your action.
  </Step>

  <Step title="Create or edit a rule">
    Create a new rule or edit an existing one.
  </Step>

  <Step title="Add conditions using custom data">
    In the **Conditions** section, click **Add feature**, then select one of your Keycloak custom data points from the **Custom** tab.
  </Step>

  <Step title="Configure the condition">
    Set the operation (e.g., "contains") and specify the group or role name to match.
  </Step>

  <Step title="Save the rule">
    Click **Save** to apply your rule.
  </Step>
</Steps>

## Use case examples

Here are practical examples of how you can use Keycloak groups and roles in your authentication rules:

**Example 1: Require MFA for admin group**

* **Condition:** If `keycloakGroups` contains "Admin"
* **Action:** Always challenge with MFA
* **Use case:** Ensure administrators always complete multi-factor authentication for enhanced security

**Example 2: Step-up authentication for privileged roles**

* **Condition:** If `keycloakRoles` contains "Finance" OR "Executive"
* **Action:** Require passkey authentication
* **Use case:** Require stronger authentication methods for users with access to sensitive financial data
