[keycloak-dev] Groups on SSSD Federation provider

Bruno Oliveira bruno at abstractj.org
Wed Dec 7 07:02:21 EST 2016

Good morning,

Today I was chatting with Marek, about this issue[1]. It pretty much
relates to my previous thread about having read-only groups/roles.

In summary, groups are not tightly coupled to Federation providers.
So, to prevent read-only users from joining/leaving groups, at
joinGroup and leaveGroup methods, thrown an exception,

This is pretty much fine. However, the admin still can edit
the group and it's not possible to synchronize it back to SSSD —
everything is read-only.

That said, I was thinking if we really should synchronize user's
groups coming from SSSD or not. Because the chances of having a
group/role mismatch because someone decided to change its name is

I can see two alternatives:

1. Never synchronize user's group from SSSD. We cannot synchronize it
back and I'm not sure how this information is relevant into our context.
For authentication with PAM, we don't need this information.

2. We keep it and permit the admin to change, but internally we preserve
the original name synchronized from SSSD. Maybe make the original name,
the id.


[1] - https://issues.jboss.org/browse/KEYCLOAK-3904


PGP: 0x84DC9914

More information about the keycloak-dev mailing list