en Active Directory User (comments)
To connect users to our comments backend that are managed via Microsoft Active Directory, you need to use Active Directory Federation Services (AD FS) and SAML v2.0. If you have already set up AD FS on your server, please follow the instructions here to connect your AD to comments: Configure MS ADFS as a Brokered Identity Provider in KeyCloak
The necessary administration of Keycloak can be reached at: https://<SERVER_URL>/auth
Step 6 under "SETUP IDENTITY PROVIDER IN KEYCLOAK" is optional and in our case offers the possibility to map existing attributes in SAML to the three roles defined in the comments. In our case, the last field should contain either "viewer", "editor" or "admin" instead of "manager".
If you have followed the instructions, there is now another option when logging into comments:
If you now select the lower option, you can log in (if you are not already logged in) with a user from the Active Directory. When you log in for the first time, a form asks for Given-name and Surname of the user to be imported. To prevent this, additional mappers are necessary. The configuration required for this in the AD FS console looks as follows:
In Keycloak, two more mappers need to be added to the SAML Identity Provider:
After this configuration, no further data entry is necessary after an Active Directory user logs in.
Automatic login without manual selection of the new identity provider
After this configuration, a user must manually select the new identity provider from Active Directory when logging in. To skip this step, please follow the "default identity provider" step in the following instructions: Server Administration Guide