Configure role-based access control for brokered users

This guide describes the steps required to implement role-based access control (RBAC) for users logging via identity brokering. In this guide, we use the VSHN SSO as an example. We configure RBAC for the roles we’ve mapped in the role mapping how-to. This guide assumes that you’ve already configured the brokering itself and have configured suitable role mappings.

This page is meant to be growing and doesn’t contain the final configuration at this time.

For the purpose of this guide, we’ll use the following names, adjust as needed:

Key Description

Foreign Keycloak hostname


The display name of the identity provider in APPUiO IdP


Realm within APPUiO IdP


  • Installed APPUiO IdP

  • Logged in to APPUiO IdP as Administrator

  • Brokering with configured

  • Role mappings from claims provided by configured

Create post-login flow

  1. Select realm appuio-cloud in APPUiO IdP.

  2. Go to "Authentication" and create a new flow:

    Alias = VSHN SSO post-login
    Description = Check user roles after brokered login via
    Top Level Flow Type = generic
  3. Add the "Browser Redirect/Refresh" execution to the flow:

  4. Add a new sub-flow:

    Alias = check user roles VSHN SSO
    Flow Type = generic
  5. Set the sub-flow as CONDITIONAL

  6. Add a "Condition - User Role" execution to the sub-flow (Actions  Add Flow on the sub-flow) for each role that should have access. For VSHN AG’s APPUiO Cloud configure a "Condition - User Role" execution for both realm roles vshneer-zone-access and appuio-zone-access.

    Configuration (Actions  Config)
    Alias = vshneer-access (1)
    User role = vshneer-zone-access (2)
    Negate output = On (3)
    1 Choose a name that describes the role you’re checking for
    2 Select the realm role to check for
    3 We negate the output because we want to stop processing conditions if the user trying to log in has the specified role.
  7. Add a "Deny Access" execution to the sub-flow. This blocks access to all users that have none of the roles configured in the previous step.

  8. Mark all the executions in the sub-flow as REQUIRED.

Configure the post-login flow on the VSHN SSO Identity Provider

  1. Go to "Identity Providers" and select "VSHN SSO" from the list.

  2. Set the post-login flow

    Post Login Flow = VSHN SSO post-login
  3. Save the Identity Provider