OIDC with Keycloak filter by groups/roles


We have a setup with Open OnDemand using Keycloak OIDC and we would like to filter access to OnDemand by LDAP groups/roles.

We have our LDAP Keycloak integration and our OnDemand client configured. We also configured OnDemand with the “groups” scope as documented here.

oidc_scope: "openid profile email groups"

,although in our implementation is “roles”.

With this setup we cannot filter group access, so if the user belongs to the LDAP group configured in Keycloak (which in our case is a general LDAP group that includes all users) you can login but then since we do SSSD authentication when the server tries to run the PUN process for the user it fails as expected.

Is there a way to configure OnDemand to filter by group/role membership?


Managed to make this work by changing the /etc/apache2/sites-enabled/ood-portal.conf configuration with the following.

    AuthType openid-connect
        Require valid-user
        Require claim groups:<SOME-LDAP-GROUP>
    LogLevel debug

Applied the change to the following:

  • <Location "/oidc">
  • <Location "/nginx">
  • <Location "/pun">
  • <LocationMatch "^/rnode/<SOME-REGEX>">
  • <LocationMatch "^/node/<SOME-REGEX>">

This seems to work, users not part of the <SOME-LDAP-GROUP> cannot login, which matches our SSSD configuration on the node itself.

That said, I’m not sure if this is the right way of doing it. Will try to implement these settings using the Ansible role, feedback welcome!


Editing the conf file by hand is could throw things off. Since you edited it by hand, outside of update_ood_portal - that program (update_ood_portal) won’t replace it any more. you’ll have to use --force options or similar.

You should be able to add Require claim groups:<SOME-LDAP-GROUP> to the auth section of ood_portal.yml.

   - 'Require claim groups:<SOME-LDAP-GROUP>'

I say should because we may supply that by default for OIDC users.

If we don’t/can’t then we will need to add the capability to add extra auth lines like this.

Hi Jeff,

Thank you for your feedback, it worked!

1 Like

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.