# LDAP Integration ## Integration Options Seldon Enterprise Platform integrates with Single Sign-On (SSO) providers for authentication. The SSO system may also host the identities, or it may integrate to an identity provider (IdP). The IdP is often a source of truth for users across the organisation. User details can be used for [filtering/restricting visibility of namespaces](/seldon-enterprise-platform/operations/namespace-setup.md#authorization-policies). Filtering is either by user or by group. In order for group-based filtering to be used, groups need to be available. These come from an IdP but not all IdPs support groups or support groups in integration to SSO. Here is a list from the Dex documentation (see [their docs](https://github.com/dexidp/dex#connectors) for latest): ![Groups](/files/a91NxXLZf6WpNIuvFCOV) If groups are to be used, we suggest integrating either keycloak or dex to LDAP. See, for example: * [Keycloak LDAP integration example](https://documentation.abas.cloud/en/abas-keycloak/setup-user-federation-ldap.html) * [Dex LDAP integration example](https://v1-2-branch.kubeflow.org/docs/started/k8s/kfctl-istio-dex/#log-in-with-ldap--active-directory) Or search the official documentation of those products for the latest details. ## Debugging Keycloak/Groups Keycloak is the most common choice at present for Identity Provider to integration to LDAP. If configured correctly you should be able to [filter namespaces by group permissions](/seldon-enterprise-platform/operations/namespace-setup.md#authorization-policies) If you are not sure if groups are coming through, go to the About page in Enterprise Platform and see if a group is shown for your user. Here the group is Data Scientist: ![UserAbout](/files/hwx4c9z8H3M2dTslvwXj) Then open another window and login to keycloak as an admin user. Go to 'Sessions': ![Sessions](/files/knqZ3TWbB6mMaYx0Yioh) Click into the Session and click 'Show Sessions': ![ShowSessions](/files/WNvIKdFEFQpCrxHHGbhf) Click into that and then go to Groups: ![KeycloakGroups](/files/WNvIKdFEFQpCrxHHGbhf) This will tell you whether the Groups are coming through at a Keycloak level. You can also get the full token from Seldon Enterprise Platform. To do this inspect the browser network tab with preserve logs turned out. Then logout your session. You should see a logout containing the token: ![TokenDetails](/files/5hh0ZU90LuRadkqqx5fW) If you put the content of id\_token\_hint in [jwt.io](https://jwt.io/) then you can see its contents, including groups. ![JWT](/files/G4A3hYDnqtkhYXDcJhtk) If Keycloak has the groups but the token does not, then it is likely the 'groups' scope is missing in the `OIDC_SCOPES` environment variable in the Seldon Enterprise Platform Helm configuration. Note that there needs to be a client scope in the keycloak admin console for groups and this needs to be mapped to groups using the group membership mapper type. The scope and token claim name should both be 'groups'. Disable 'full group path'. The groups scope has to be added as a client scope under the keycloak client config for the client used by Seldon Enterprise Platform. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.seldon.ai/seldon-enterprise-platform/operations/ldap-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.