Set up and Configure User Authentication for PoolParty Users Managed with a Third-Party IDP in Keycloak

01/07/2025

To authenticate users who are managed with a third-party IDP in PoolParty you have to configure Keycloak and a SAML or LDAP identity provider.

Keycloak handles user matching with IDP users primarily through its identity brokering and user federation features.

When a user logs in via an external IDP (such as SAML or OIDC), Keycloak can use:

Just-In-Time (JIT) Provisioning: If a user does not already exist in Keycloak, it can automatically create a new user account based on the information received from the IDP during the first login.
Attribute Mapping: Keycloak uses attribute mappers to match incoming user attributes (like email or username) from the IDP to existing Keycloak user records. If a match is found (e.g., by email), the existing user is linked; otherwise, a new user is created.
User Federation: Keycloak can connect to external user stores (LDAP, Active Directory) and match users based on configured attributes.

PoolParty relies on Keycloak for user management, and any user matching or creation logic is handled by Keycloak according to its configuration and the attributes provided by the IDP.

With SSO in place the user authentication set up and configuration process is automated. The user logs in in the same way as to any other software using their SSO. On their first login they have to provide the respective credentials, afterwards user mapping is automatically performed. This requires prior configuration enabling information exchange between Keycloak and IDP.

In the IDP users exist with data that Keycloak and PoolParty see as mandatory or optional. The following data is mandatory for configuration in Keycloak and PoolParty:

username - will be identical in Keycloak and PoolParty after user creation during the first login
password
role - the user role will be mapped to the target Keycloak and PoolParty role, e.g. PoolPartyUser

Optional data for Keycloak and PoolParty which require definition of mappers includes

first name - a part of the full name in the PoolParty user management on the UI and can be configured as mandatory
last name - a part of the full name in the PoolParty user management on the UI and can be configured as mandatory
email - can be configured as mandatory for Keycloak and PoolParty, and it can also be used instead of the username for logging in
group(s) - will be mapped to the desired group(s) to be used in Keycloak and PoolParty, e.g. public

For more information on how to configure authentication for users coming from a third-party SAML IDP, refer to Setup SAML Authentication for PoolParty in Keycloak, SAML and PoolParty, SAML IDP and Keycloak Workflow in PoolParty, Setup a SAML Identity Provider Mapper in Keycloak and Frequently Reported SAML Issues.

For more information on how to configure authentication for users coming from an LDAP store, refer to Configure LDAP Integration.

In this section: