Introduction
After setting up SSO logins in Keycloak, you can further configure it to manage permissions for your Canary Console users, such as controlling their Flock access and assigning Global Admin rights. This guide will take you through the Keycloak changes required to support IdP-managed permissions.
Change Summary
Within your Keycloak instance, you will need to add three attributes to each user group to enable Keycloak to manage their permissions. These attributes are: is_global_admin, managed_flocks and watched_flocks.
Note: These attributes can also be applied at an individual user level; however, most organisations prefer using groups as it simplifies management.
For more information about the IdP-managed permissions feature and the associated SAML attributes, please refer to this article.
All of the following steps should be completed within your Keycloak instance. Log in to Keycloak using an account with permission to modify the Thinkst Canary client.
Steps
Step 1: Add the required attributes to the client profile
Open the client profile for the Thinkst Canary client that you created when you first configured SSO logins for Keycloak.
Go to the "Client scopes" tab and select the Thinkst Canary client scope.
Configure mappers for the three user attributes (is_global_admin, managed_flocks and watched_flocks).
The final setup should look like this:
Step 2: Configure the user groups to which you want to apply your Canary Console permissions
Go to “Groups” and either create the user groups you need, or simply update your existing groups.
In the next steps, we’ll use the newly created Canary-Flock-Manager group to demonstrate how attribute mappings work.
Ensure that the group role mapping is configured so the group can sign into the Canary Console via SSO. If it isn’t set up, you’ll need to add it.
We can now configure the Canary Console permissions on the "Canary-Flock-Manager" group.
Users in this group will not receive global admin permissions on the Canary Console. Instead, they’ll be able to manage only the specified Flocks and won’t have any watched Flocks.
If you need to assign access to multiple Flocks, separate the Flock IDs with commas.
Keycloak will pass these custom attributes to the Canary Console, which will then apply the corresponding permissions accordingly.
Note: You can find the Flock ID in each Flock by going to Settings -> Information.
Step 3: Confirm changes
You can now log into your Canary Console with SSO, where your configured group permissions will be applied.
You can verify the configuration by ensuring that the Flock permissions assigned to the user group match the Flock(s) you are able to manage within the Canary Console.
You're all set!