[keycloak-dev] Groups on SSSD Federation provider

Marek Posolda mposolda at redhat.com
Thu Dec 8 07:14:40 EST 2016

Yes, the thing is that we don't have anything like federation of groups 
or roles. And not sure if we need that as it will be lots of overhead 
and corner cases around this IMO.

My vote is something like your solution 2. Maybe the group can have 
attribute like "userStorage.<storageID>.id", which will contain the 
identificator of particular group specific to particular userStorage 
provider. In case of LDAP, it will be either LDAP UUID or LDAP DN of 
that group. In case of SSSD probably something similar?

Note: I think we need the "storageID" element in the attribute name too 
as single Keycloak group "group1" can be used in group mappings of users 
from more userStorage providers.


On 08/12/16 02:01, Bruno Oliveira wrote:
>> If you're talking about the actual groups changing (their names or
>> >whatever), that's a similar problem we have with our regular LDAP adapter.
>> >
> That's exactly what I meant.  It's a problem that from my undestanding we
> don't have a
> solution now. At the same time, I'm afraid that people start to change
> groups' name
> and create several mismatches between KC database and IPA. For example:
> group1 coming from IPA, is edited to group2 on Keycloak. On the next login,
> SSSD federation
> identifies that group1 does not exist and try to synchronize it again. Now
> we have 2 groups.

More information about the keycloak-dev mailing list