You can have Infisical automatically sync group memberships between Keycloak and Infisical by configuring a group membership mapper in Keycloak. When a user logs in via OIDC, they will be added to Infisical groups that match their Keycloak groups names, and removed from any Infisical groups not present in their groups claim.
When enabled, manual management of Infisical group memberships will be disabled.
Group membership changes in the Keycloak only sync with Infisical when a user logs in via OIDC. For example, if you remove a user from a group in Keycloak, this change will not be reflected in Infisical until their next OIDC login. To ensure this behavior, Infisical recommends enabling Enforce OIDC SSO in the OIDC settings.
1

Configure a group membership mapper in Keycloak

1.1. In your realm, navigate to the Clients tab and select your Infisical client.OIDC keycloak client1.2. Select the Client Scopes tab.OIDC keycloak client scopes1.3. Next, select the dedicated scope for your Infisical client.OIDC keycloak dedicated scope1.4. Click on the Add mapper button, and select the By configuration option.OIDC keycloak add mapper by configuration1.5. Select the Group Membership option.OIDC keycloak group membership option1.6. Give your mapper a name and ensure the following properties are set to the following before saving:
  • Token Claim Name is set to groups
  • Full group path is disabled
OIDC keycloak group membership mapper
2

Setup groups in Infisical and enable OIDC Group Membership Mapping

2.1. In Infisical, create any groups you would like to sync users to. Make sure the name of the Infisical group is an exact match of the Keycloak group name. OIDC keycloak infisical group2.2. Next, enable OIDC Group Membership Mapping on the Single Sign-On (SSO) page under the General tab. OIDC keycloak enable group membership mapping2.3. The next time a user logs in they will be synced to their matching Keycloak groups. OIDC keycloak synced users