IAM Integration
The Enterprise Stack integrates with external Identity Providers (IdP) for centralized user authentication and access management. See the access and permissions overview to learn about the broader security architecture.
Supported providers include:
- Keycloak
- Microsoft Entra ID (Azure AD)
- Okta
- Auth0
- Any OpenID Connect (OIDC) compatible provider
In this setup:
- The IAM provider handles authentication
- The Enterprise Stack handles authorization using RBAC
Authentication Flow
- User authenticates with the IAM provider
- IAM provider issues an OIDC token (JWT)
- Client sends the token with the API request
- Enterprise Stack validates the token
- RBAC evaluates roles and permissions for the requested operation
Configuring OIDC Login
OIDC login is configured in auth.conf. Add an entry with method = "oidc" to the authFlows list.
Minimal Configuration
authFlows = [
{
method = "oidc"
config = {
openIdConfigurationUrl = "https://your-idp/.well-known/openid-configuration"
clientId = "your_client_id"
clientSecret = "your_client_secret"
callbackUri = "https://your-enterprise-host/auth/account/oidc/callback"
pkceEnabled = true
externalRoleExtraction = {
enabled = true
realmRolesClaimPath = "realm_access.roles"
}
}
success = true
}
]
For the complete list of OIDC configuration options including dynamic redirects and logout settings, see the auth.conf reference.
Mapping IAM Roles to Enterprise Permissions
When users authenticate via OIDC, their external roles can be automatically mapped to Enterprise Stack permissions. This is called External Role Mapping.
How It Works
- User logs in via your IdP with roles (e.g.,
tenant-admin) - Enterprise Stack extracts roles from the ID token (via
externalRoleExtraction) - Role mappings are evaluated to find matching Enterprise roles
- User receives permissions from all matched Enterprise roles
Managing Role Mappings
External role mappings can be managed via REST API (recommended) or config file.
REST API (Recommended)
# Create a mapping: external role → Enterprise role
curl -X PUT \
'https://{host}/v1/waltid.tenant1.BW_ADMIN/roles-api/roles/external-mappings/tenant-admin' \
-H 'Authorization: Bearer {token}' \
-d '{"enabled": true}'
This maps the external role tenant-admin to the Enterprise role waltid.tenant1.BW_ADMIN.
Config File (Optional)
See auth.conf - External Role Mapping for config-based mappings.
Key Features
- Provider-agnostic — Works with any OIDC provider
- Conditional mappings — Restrict by email domain or provider
- Multi-tenant support — Different mappings per tenant
- Dynamic management — Create, update, delete via API (no restart needed)
Learn More
See the External Role Mapping section for complete documentation:
- Overview — Understand mapping concepts
- Configure IdP — Set up role claims in your IdP
- Create Mappings — Define mappings via API
- Manage Mappings — List, update, delete mappings
- Test Mappings — Verify mappings work
- Conditional Mappings — Add restrictions
IdP Configuration Requirements
For external role mapping to work, your IdP must include roles in the ID token. Common configurations:
| Provider | Role Claim Location |
|---|---|
| Keycloak | realm_access.roles |
| Azure AD | roles or groups |
| Okta | groups claim |
| Auth0 | Custom claims via Actions |
See Configure IdP for detailed setup instructions for each provider.
Related
- Auth configuration (
auth.conf) — Complete auth.conf reference - External Role Mapping — Complete mapping documentation
- RBAC Model
- Roles
- Permissions