Introduction

In Conduktor Console, you have the ability to map your IdP groups with Console's groups. That way, when users log in, they are automatically added to the relevant Console's groups and retrieve the appropriate permissions you gave to them.

This is what we call external groups mapping.

Problem

If you have mapped an IdP group to one of your Console's groups, but the users are not automatically added to the group when they log in, this article will help you troubleshooting.

This can come from two places:

• your OIDC configuration: the groups might not belong to the tokens sent during the step 1
• your Conduktor configuration: you might have give the wrong groups claim, so it doesn't know where to find them within the OIDC tokens

Situation

Make sure your external groups mapping is correctly setup

When you go in the Groups section, you should see a "link" icon on the left of the amount of members.

It means that there is, at least, one external group mapped to this group. You can see which by clicking in the group, and going in the External groups section.

Log as a user

Now that the external group is setup on Conduktor, you can ask one of your users that belong to "project-a" to log in. They should be added to the Project A group:

The External tag means that you cannot remove this user from this group, as they've been added using the external groups mapping.

If this is the case, then everything works well for you.

If the user isn't added to the group, or doesn't have this tag, then we can troubleshoot further.

Troubleshooting

Make sure your configuration is correct

In order to retrieve your IdP groups, you have to add some fields to Conduktor's configuration. First, please make sure you have these fields set.

On your IdP side, you might also have to change some things. Please select the IdP you're using in this list of IdPs, and check you followed the steps detailed in the Groups Mapping section.

Retrieve the ID and access tokens

In order to retrieve the ID token and/or the access token given by your OIDC provider to Conduktor, you have to run Console in DEBUG mode.

For that, you must add the following environment variable, and deploy Console again:

CDK_ROOT_LOG_LEVEL: "DEBUG"

Then, you will have to log in using your OIDC provider to receive the tokens from it in the Console.

After your connection, you can run the following command to see the ID token retrieved by the Console. Make sure you use the right container ID.

docker logs conduktor-console | grep Http4sSecurityAdapter

You'll then see the following log, that contains both the ID token and the access token:

Got Oidc profile with ID token: [...] attributes={[...] id_token=xxxxx, access_token=xxxxx [...]})))".

Once you have this token, you can copy it and paste it into the website https://jwt.io/. That way, you'll see exactly what Conduktor Console receives.

If you can't see any "groups" sections, it means your OIDC setup is wrong.

If you can see a "groups", or something similar, that contains the list of the groups of this user, please make sure that the name of the key is the same as the value you put in Console's configuration as groups-claim.

If everything looks fine, please make sure that the issuer you configured for Conduktor Console is the same as the iss value in the token.

Contact the support

If you need further help, please submit a request in this support portal, and send us the content of the access_token you found in the value.