[keycloak-user] External Role to Role Mapper

Adam Keily adam.keily at adelaide.edu.au
Tue Apr 25 20:22:29 EDT 2017 

Thanks. In the JIRA for KEYCLOAK-4378 it's mentioned that the same issue would exist with OIDC. I'm just wondering if it's expected behaviour or not for the Role to Role mapper. I'd like to have one keycloak relam act as an IdP for another and would like to map roles between the two.

Thanks

-----Original Message-----
From: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
Sent: Thursday, 20 April 2017 6:06 PM
To: Adam Keily <adam.keily at adelaide.edu.au>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] External Role to Role Mapper

Could you please file a JIRA issue? The External Role to Role mapper is OIDC-specific, while the KEYCLOAK-4378 fixed an issue with SAML attribute mapper.

--Hynek

On Thu, Apr 20, 2017 at 7:48 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Found this and thought it may have been resolved in 2.5.5. Upgraded and tested again but Role mappings are still not being updated correctly.
>
> https://issues.jboss.org/browse/KEYCLOAK-4378?jql=project%20%3D%20keyc
> loak%20and%20fixVersion%20%3D%202.5.4.Final
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
> Sent: Thursday, 20 April 2017 11:59 AM
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] External Role to Role Mapper
>
> Hi All,
>
> I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.
>
> I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".
>
> During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.
>
> If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.
>
> Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.
>
> I have noticed an error though if I try to map to a non-existant role in Realm A.
>
> Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?
>
> Thanks
> Adam
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



--

--Hynek

More information about the keycloak-user mailing list