[keycloak-user] basic saml attribute send question
Hynek Mlnarik
hmlnarik at redhat.com
Wed May 24 09:10:13 EDT 2017
You can set up "LDAP Filter" in the group-ldap-mapper configuration to
restrict the groups returned by this query:
"LDAP Filter adds additional custom filter to the whole query for
retrieve LDAP groups. Leave this empty if no additional filtering is
needed and you want to retrieve all groups from LDAP. Otherwise make
sure that filter starts with '(' and ends with ')'"
--Hynek
On Tue, May 23, 2017 at 12:33 PM, lists <lists at merit.unu.edu> wrote:
> Hi,
>
> Running keycloak 2.5.0 with AD federation provider. We configured the
> group-ldap-mapper, this all works beautifully.
>
> Created a simplesamlphp test page, and all AD groups memberships are
> displayed in a list after a successful logon. Good start.
>
> But now, to make this more secure and confidential, we would like to NOT
> display ALL groups after login, but only send specific SAML attributes,
> depending on group memberships.
>
> So suppose a user is member of AD group1, group2 and group3. We would
> like to make a config to sent attribute "group1", but keep the rest of
> the groups hidden.
>
> I'm sure this _very_ basic functionality... But can anyone give us some
> pointers/keywords how to do this..?
>
> Best regards,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list