Group synchronization in SAML or OIDC

You can enable group synchronization in Validate when using secure protocols like SAML or OIDC. Group information is fetched from the IdP during user login and saved in the Validate permissions database.

To enable group synchronization:

Configure the IdP to send group information:

In Keycloak (OIDC):
- Under Client Scopes, add a Group Membership mapper.
- In the mapper configuration, set Full Group Path to off (Validate does not support nested groups).
- Set Add to Userinfo to on.
In Keycloak (SAML):
- Under Client Scopes, add a Group List mapper.
- Set Full Group Path to off.
Ensure the following parameter is included in auth.properties, or through kwauthconfigw:
```
kw.groupDnAttribute=groups
```
where 'groups' is the attribute name from your IdP that contains the authenticated user's group information.

To disable group synchronization, remove the group parameter from auth.properties or through kwauthconfigw.
Restart the Validate server.

Limitations

Group membership is updated only when users log in. If a group is changed in the IdP, users must log in again to update their groups in Validate.
When group synchronization is enabled, users cannot be manually assigned or removed from groups in Validate. The IdP is the single source of truth for group memberships.
Validate enforces a 255-character limit for group names. If a user belongs to a group with a name exceeding 255 characters, synchronization will fail for that user.
If a group is renamed in the IdP, roles must be reapplied to the new group name in Validate.
Validate does not support nested groups.
Token Timeout Consideration: Group information updates only when users log in. Adjust token timeouts in admin.conf to control how often re-login is required:
```
token.timeout.browser=8d
```

Troubleshooting

My group names are mapped with a preceding slash (/) in Validate.

Workaround: Disable Full Group Path in the Keycloak Group Membership mapper.