[keycloak-dev] Groups on SSSD Federation provider
Bill Burke
bburke at redhat.com
Thu Dec 8 09:22:41 EST 2016
On 12/8/16 7:14 AM, Marek Posolda wrote:
> Yes, the thing is that we don't have anything like federation of
> groups or roles. And not sure if we need that as it will be lots of
> overhead and corner cases around this IMO.
>
I thought about doing that, but you still have the same synchronization
issues.
Alternatively, LDAP and SSSD could just map groups into UserModel
attributes, then the SAML and OIDC mappers could just map those user
attributes into role mappings in the token or assertion.
> My vote is something like your solution 2. Maybe the group can have
> attribute like "userStorage.<storageID>.id", which will contain the
> identificator of particular group specific to particular userStorage
> provider. In case of LDAP, it will be either LDAP UUID or LDAP DN of
> that group. In case of SSSD probably something similar?
>
Should groups and roles instead have a federationLink (which points to
the provider) and maybe also a federationIdentifier (which can contain
things like LDAP UUID) as first class properties? Then, you can search
for roles and groups based on those properties so you can synchronize them.
Bill
More information about the keycloak-dev
mailing list