[keycloak-user] Composite roles and user federation with LDAP as external user storage

FREIMUELLER Christian Christian.FREIMUELLER at frequentis.com
Tue Jul 26 05:29:52 EDT 2016 

Dear all,

I've a question regarding the User Storage Federation (https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation.html) with respect of LDAP as external user database and the available mappers.

Current situation:
Right now I'm able to map roles assigned to users and defined in LDAP to Keycloak with the existing Role Mapper. e.g. Administrator/User role for a specific application

The JWT output contains then a section like this:

"resource_access": {
    "myApp": {
      "roles": [
        "Administrator"
       ]
    }


Desired solution:
Is it out of the box possible to use the existing Role Mapper as described in chapter https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation/ldap.html to map composite roles defined in Keycloak to LDAP?
The thing is I want in the end to define composite roles in LDAP to collect finer user rights for certain "container" roles - like Users, Editors, Administrator - and map them to Keycloak and respectively the finer grained rights to provide the granted user rights in the JWT.

e.g.
Rights/Roles:
-       read page
-       edit page
-       delete page
-       create page

Composite Roles:
-       User = {read page}
-       Editor = {read page, create page, edit page}
-       Administrator = {read page, delete page}


The final result in the JWT should then contain a section something like where the composite role is automatically resolved with the more specific single rights:

"resource_access": {
    "myApp": {
      "roles": [
        "read page",
        "delete page"
       ]
    }

Or is Keycloak designed in that way that the finer rights can be stored in LDAP but the composition is afterwards done in Keycloak?

Thanks,
Christian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160726/f7f26fbb/attachment.html

More information about the keycloak-user mailing list