[keycloak-user] Mapping Claims from Identity providers
Konsulent Thomas Isaksen (TNO)
thomas.isaksen at toyota.no
Wed Sep 4 09:52:39 EDT 2019
Hi Sebastian,
I'm using Claim to Role importers on the Identity Provider, these are not updated unless I delete the user. Attribute importers are working fine, however.
./t
-----Original Message-----
From: Schuster Sebastian (INST-CSS/BSV-OS2) <Sebastian.Schuster at bosch-si.com>
Sent: tirsdag 3. september 2019 19:08
To: Konsulent Thomas Isaksen (TNO) <thomas.isaksen at toyota.no>; keycloak-user at lists.jboss.org
Subject: AW: Mapping Claims from Identity providers
Hi Thomas,
This actually depends on the mapper you are using. For example the OIDC ClaimToRoleMapper does update the user when he logs in (see https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11757b8c862/services/src/main/java/org/keycloak/broker/oidc/mappers/ClaimToRoleMapper.java#L108)
others don't do that (e.g. https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11757b8c862/services/src/main/java/org/keycloak/broker/provider/HardcodedRoleMapper.java#L87).
In the second case, I assume this might be a bug.
The SAML AttributeToRoleMapper you are probably using should actually update the user on login, see https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11757b8c862/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java#L140.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Konsulent Thomas Isaksen (TNO)
Gesendet: Dienstag, 3. September 2019 13:59
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Mapping Claims from Identity providers
I have configured Azure as my identity provider and I am assigning roles to my users in Keycloak based on claims I get from Azure.
Once I have defined one or more Role Mappers and sign in with my Keycloak user for the first time the mapping is done and working as expected, however, once I create additional mappings the roles of the user are no longer updated. The only way to get an updated mapping is to delete my Keycloack user and sign in again.
I tried to look it up in the documentation:
Mapping Claims and Assertions
https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/mappers.html
..
"Each new user that logs into your realm via an external identity provider will have an entry for it created in the local Keycloak database. The act of importing metadata from the SAML or OIDC assertions and claims will create this data with the local realm database."
...
Does this mean that I cannot expect new claim mappings to apply to existing users? Is there any way to do this ?
( I did send this message in April but it never showed up in the mailing list)
--
Thomas Isaksen
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list