[keycloak-user] Active Directory Federated Services SAML Identity Provider; Pass groups thru

[Jason Hobbs]

I'm trying to use ADFS as a SAML identity provider, then use OIDC to
authenticate an application on JBoss EAP.

The IDP redirects to AD and back to Keycloak seem to work fine, and a list
of groups is provided as an assertion.  When I debug within the protected
application, however, the groups from the SAML assertion are not passed
through.  If I make a role in Keycloak and manually assign it to a user, it
does get passed through.

Is this something that should be supported and I'm just not configuring
something right?

Environment: Keycloak 1.9.2.Final running on OpenShift Enterprise 3.1.

----

Jason Hobbs

Lead Engineer Shop Floor Systems

Email: Jason.Hobbs at shawinc.com  |  Office: (706) 532-3858  |  Calendar
<https://www.google.com/calendar/embed?src=jason.hobbs@shawinc.com&ctz=America/New_York&mode=week&pli=1>
Shaw Industries Group Inc.  |  201 S. Hamilton St., Dalton, GA 30720  |  MD
0IS-01  |  shawfloors.com

-- 
**********************************************************
Privileged and/or confidential information may be contained in this 
message. If you are not the addressee indicated in this message (or are not 
responsible for delivery of this message to that person) , you may not copy 
or deliver this message to anyone. In such case, you should destroy this 
message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of 
this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or 
other information in this message that do not relate to the official 
business of the company  or its subsidiaries.
**********************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160418/79109136/attachment.html