This usecase can be modified and applied to various similar scenarios as it covers many usefull techniques.

Usecase assumtions:

1. We are using a shared LDAP server that is organized in this way:

   1. There are groups representing a customers

   2. Each group contains users

2. We would like to allow registreation of user in a specific customer database, only if they have a specific role/group

3. The security is further controlled on application level, so the registratin controll is an aditional step / measure

What we ant to do:

users that login via LDAP, come with specific groups. 

...

Make sure there is a group mapper setup for LDAP. This will ensure that groups delivered via LDAP login are passes on to further login steps.

Image Removed

...

Users in LDAP realm should have a federation link:Image Removed

...

Also Groups fetched from LDAP should be visible:Image Removed

...

Client connection between LDAP realm and customer realm also includes group mapper:Image Removed

...

Step 2: Add Group to Role mapper in main realm

...

Enter Claim as: userLdapGroupsImage Removed

...

By using these mappers, we will be able to access any groups that are fetched from LDAP. Each group must be mapped here individually to KC Roles.Image Removed

...

Step 3: Custom authentication flow

...

In this case we require users to have "fm-services" role, but remember that this name is only based on earlier mapping done in stpe 2. Image Removed

...

Image Removed

...

Step 4: Assign authetication flow to specific provider

...

Select a First login flow to our custom login flow that requires specific group/role to complete. Image Removed

...