User & Group Management
Users and groups are managed in Keycloak, a powerful, open source identity and access management solution. In the default configuration Cryptomator Hub provides its own Keycloak instance, but you can also integrate an existing instance.
You can access the Keycloak management interface over the admin section of Hub.
Subgroups are not supported at this time.
Connect external IAM
Alternatively to the in-house administration, you can also connect Keycloak to other identity and access management solutions (IAM) to keep your user management centralized. You can either only synchronize existing users and groups from your IAM (using LDAP or Active Directory) or completely delegate the authentication process to your IAM via OpenID Connect or SAML.
Setting up LDAP synchronization is described in the Keycloak documentation. For OpenID Connect and SAML, the Keycloak documentation provides general information. A good step-by-step guide for connecting Microsoft Entra with OpenID Connect can be found here.
LDAP, all users and groups are imported and synchronized with Keycloak, so they are available immediately after setup.
OpenID Connect or
SAML, users are unknown to Keycloak and Hub until they log in for the first time.
Regardless of your choice, your Keycloak instance always contains two local users:
syncer. Do not edit or delete them! The first one is for administration tasks and the second one is used to synchronize users and groups between Keycloak and Hub.