[keycloak-user] Role to claim mapping

Bill Burke bburke at redhat.com
Tue Sep 29 16:53:07 EDT 2015

On 9/29/2015 3:42 PM, Gonzalo López wrote:
> I'm trying to test the Identity broker to achieve cross domain sso, this
> is what I have done:
> 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A
> 2 - Installed jboss 6.4 eap + keycloak in host B
> 3 - In host A, I added an oidc Identity Provider (importing host B
> openid connect configuration).
> 4 - In host A, I created an application (appa.war) that will try to use
> the broker to authenticate. I added security to the app (only user with
> role "user" will be able to access some parts)
> 5 - In host B, I added 2 oidc clients (the broker from host A and appb,
> appb (appb.war) is a simple application developed to log in using oidc)
> 6 - In host B, I created a role "testrole" inside appb and a user
> "testuser", then I added that role to the user.
> I couldn't find out how to map the role "testrole" to a claim that will
> be sent to the broker once the user has authenticated. Is there a way to
> do that?
> After I accomplish that I plan to map that claim to the role appa.user.

OIDC and SAML Identity Providers have mappers.  Host A broker will 
receive the token from Host B.  You can map the testrole to whatever 
claim you want.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list