[keycloak-user] Hardcoded role mappers in user federation provider - roles not applied
Edgar Vonk - Info.nl
Edgar at info.nl
Thu Nov 24 10:18:40 EST 2016
We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.
What we have is a User Federation provider that connects to MSAD/LDAP with:
- a hardcoded role mapper that adds role X
- a hardcoded role mapper that adds role Y
- a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y
My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?
What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc.
What I think is happening is:
- the mappers are applied in random order in Keycloak (is this the case?)
- the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?
More information about the keycloak-user