[keycloak-user] Hardcoded role mappers in user federation provider - roles not applied

Edgar Vonk - Info.nl Edgar at info.nl
Tue Nov 29 04:15:07 EST 2016

Hi Marek,

I have created https://issues.jboss.org/browse/KEYCLOAK-3994. Hope it’s clear enough.



On 25 Nov 2016, at 10:11, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

On 24/11/16 16:18, Edgar Vonk - Info.nl<http://info.nl/> wrote:
Hi all,

We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.

What we have is a User Federation provider that connects to MSAD/LDAP with:
- a hardcoded role mapper that adds role X
- a hardcoded role mapper that adds role Y
- a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y

My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?

What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc.

What I think is happening is:
- the mappers are applied in random order in Keycloak (is this the case?)
Yes, it is. I was thinking about add priority, but didn't yet do it. Could you please create JIRA?

- the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?



keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

More information about the keycloak-user mailing list