<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Ouch, this is a bug<span
        class="moz-smiley-s2"><span> :-( </span></span><br>
      <br>
      Feel free to create JIRA. <br>
      <br>
      The UserModel in Keycloak DB has each attribute modelled as one
      string value. But I think I can address it with the usage of some
      delimiter and then for access token has the protocol mapper, which
      will handle it. <br>
      <br>
      So for example if your LDAP user has 3 values of attribute
      "applications" with values "finance", "sales", "development", the
      attribute on the Keycloak UserModel will have value like
      "finance###sales###development" (The sequence ### will be used as
      delimiter), but for the access token it will be divided again. So
      in your application, you will have possibility to have something
      like:<br>
      <br>
      Set&lt;String&gt; applications =
      accessToken.getOtherClaims().getAttribute("applications");<br>
      <br>
      which will return set with 3 values "finance", "sales",
      "development".<br>
      <br>
      Marek<br>
      <br>
      On 19.6.2015 15:22, Kevin Thorpe wrote:<br>
    </div>
    <blockquote
cite="mid:CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Ok, I think I understand. I tried 'sync all users'
        and got an error. Is this because applications is a multiple
        <div>attribute? Obviously I will probably have access to more
          than one application. In the meantime I'll try a brand </div>
        <div>new user and see if that works.<br>
          <div><br>
          </div>
          <div>Log shows:
            <div><br>
            </div>
            <div>
              <div>2015-06-19 14:19:26,361 INFO
                 [org.keycloak.federation.ldap.LDAPFederationProviderFactory]
                (default task-2) Sync all users from LDAP to local
                store: realm: master, federation provider: PI  ordinary
                users</div>
              <div>2015-06-19 14:19:26,611 ERROR [io.undertow.request]
                (default task-2) UT005023: Exception handling request to
                /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
                java.lang.RuntimeException: request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div>
              <div>        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div>
              <div>        at
                io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
              <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
              <div>        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div>
              <div>        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
              <div>        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
              <div>        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
              <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
              <div>        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
              <div>        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
              <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
              <div>        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
              <div>        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
              <div>        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div>
              <div>        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div>
              <div>        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
              <div>        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div>
              <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
              <div>        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
              <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
              <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
              <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div>
              <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div>
              <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div>
              <div>        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div>
              <div>        at
                io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div>
              <div>        at
                io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div>
              <div>        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
              <div>        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
              <div>        at java.lang.Thread.run(Thread.java:745)</div>
              <div>Caused by: org.jboss.resteasy.spi.UnhandledException:
                java.lang.ClassCastException: java.util.TreeSet cannot
                be cast to java.lang.String</div>
              <div>        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div>
              <div>        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div>
              <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div>
              <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div>
              <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div>
              <div>        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div>
              <div>        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
              <div>        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
              <div>        at
                javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
              <div>        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div>
              <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div>
              <div>        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div>
              <div>        at
                io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
              <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
              <div>        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div>
              <div>        ... 29 more</div>
              <div>Caused by: java.lang.ClassCastException:
                java.util.TreeSet cannot be cast to java.lang.String</div>
              <div>        at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div>
              <div>        at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div>
              <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div>
              <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div>
              <div>        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div>
              <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div>
              <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div>
              <div>        at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div>
              <div>        at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div>
              <div>        at
                sun.reflect.NativeMethodAccessorImpl.invoke0(Native
                Method)</div>
              <div>        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
              <div>        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
              <div>        at
                java.lang.reflect.Method.invoke(Method.java:497)</div>
              <div>        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div>
              <div>        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div>
              <div>        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
              <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div>
              <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div>
              <div>        ... 40 more</div>
            </div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div><font color="#000000"><b>Kevin Thorpe<br>
                      </b></font></div>
                  <div>CTO<br>
                  </div>
                  <div><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="https://www.p-i.net/" target="_blank"><img
                        src="cid:part1.09000505.06020406@redhat.com"></a> 
                     <a moz-do-not-send="true"
                      href="https://twitter.com/@PI_150" target="_blank"><img
                        src="cid:part3.03040705.00030900@redhat.com"></a><br>
                  </div>
                  <div><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
                      moz-do-not-send="true"
                      href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
                  </div>
                  <div><span style="color:rgb(81,81,81)"><br>
                    </span></div>
                  <div><span style="color:rgb(81,81,81)">M: <a
                        moz-do-not-send="true" value="+447921676683">+44
                        (0)7425 160 368</a> | T: <a
                        moz-do-not-send="true" value="+442030056750">+44
                        (0)203 005 6750</a> | F: <a
                        moz-do-not-send="true" value="+442077302635">+44(0)207
                        730 2635</a></span><br>
                  </div>
                  <div><font color="#515151">150 Buckingham Palace
                      Road, </font><span style="color:rgb(81,81,81)">London,
                      SW1W 9TR, UK</span></div>
                  <div><br>
                    <b><span style="color:rgb(11,83,148)">  <img
                          moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
                        <img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
                        <img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
                          height="36" width="64"><img
                          moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
                          height="44" width="116"></span></b></div>
                  <div><font size="1">_____________________________ </font></div>
                  <p><font size="1">This email and any files transmitted
                      with it are confidential and intended solely for
                      the use of the individual or entity to whom they
                      are addressed. If you have received this email in
                      error please notify the system manager. This
                      message contains confidential information and is
                      intended only for the individual named. If you are
                      not the named addressee you should not
                      disseminate, distribute or copy this e-mail.
                      Please notify the sender immediately by e-mail if
                      you have received this e-mail by mistake and
                      delete this e-mail from your system. If you are
                      not the intended recipient you are notified that
                      disclosing, copying, distributing or taking any
                      action in reliance on the contents of this
                      information is strictly prohibited.</font></p>
                  <p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
                          PAPER - THINK BEFORE YOU PRINT!</font></span>"
                    </b></p>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On 19 June 2015 at 13:50, Marek Posolda
          <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Thanks for the info. Now I think I know what's going
                on.<br>
                <br>
                The issue is that currently when we import users from
                LDAP (federation in general), we sync the configured
                attributes to the Keycloak DB. But during searching, we
                don't sync the attributes from LDAP to Keycloak DB
                anymore. So I guess you did the steps like this:<br>
                - You first authenticate as LDAP user "joe" (or search
                this user from admin console), which imported this user
                into Keycloak DB<br>
                - Then you created mapper for the 'applications'
                attribute. But user 'joe' was already imported into
                Keycloak DB from the previous step, right?<br>
                <br>
                I believe that when you import some other user from
                LDAP, which is not yet exist in Keycloak DB, the
                'applications' attribute will be there. For the existing
                user, the only possibility right now is to use
                "Synchronize all users" or "Synchronize changed users"
                on LDAP federation screen. This will update existing
                users into Keycloak DB as well, so 'joe' will be
                updated.<br>
                <br>
                Please let me know if it helps.  Looks that it's
                something we should address better in Keycloak.<span
                  class="HOEnZb"><font color="#888888"><br>
                    <br>
                    Marek</font></span>
                <div>
                  <div class="h5"><br>
                    <br>
                    On 19.6.2015 11:56, Kevin Thorpe wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">I had a hunch so I added a record in
                      USER_ATTRIBUTE for applications and it is getting
                      passed
                      <div>in the JWT claims now. That squarely points
                        at the ldap federation part.</div>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div><font color="#000000"><b>Kevin
                                      Thorpe<br>
                                    </b></font></div>
                                <div>CTO<br>
                                </div>
                                <div><br>
                                </div>
                                <div><a moz-do-not-send="true"
                                    href="https://www.p-i.net/"
                                    target="_blank"><img
                                      src="cid:part15.02080804.08010007@redhat.com"></a> 
                                   <a moz-do-not-send="true"
                                    href="https://twitter.com/@PI_150"
                                    target="_blank"><img
                                      src="cid:part17.07080602.03000807@redhat.com"></a><br>
                                </div>
                                <div><br>
                                </div>
                                <div><a moz-do-not-send="true"
                                    href="http://www.p-i.net/"
                                    target="_blank">www.p-i.net</a> | <a
                                    moz-do-not-send="true"
                                    href="https://twitter.com/@PI_150"
                                    target="_blank">@PI_150</a><br>
                                </div>
                                <div><span style="color:rgb(81,81,81)"><br>
                                  </span></div>
                                <div><span style="color:rgb(81,81,81)">M: <a
                                      moz-do-not-send="true"
                                      value="+447921676683">+44 (0)7425
                                      160 368</a> | T: <a
                                      moz-do-not-send="true"
                                      value="+442030056750">+44 (0)203
                                      005 6750</a> | F: <a
                                      moz-do-not-send="true"
                                      value="+442077302635">+44(0)207
                                      730 2635</a></span><br>
                                </div>
                                <div><font color="#515151">150
                                    Buckingham Palace Road, </font><span
                                    style="color:rgb(81,81,81)">London,
                                    SW1W 9TR, UK</span></div>
                                <div><br>
                                  <b><span style="color:rgb(11,83,148)"> 
                                      <img moz-do-not-send="true"> <img
                                        moz-do-not-send="true"> <img
                                        moz-do-not-send="true"
                                        height="36" width="64"><img
                                        moz-do-not-send="true"
                                        height="44" width="116"></span></b></div>
                                <div><font size="1">_____________________________ </font></div>
                                <p><font size="1">This email and any
                                    files transmitted with it are
                                    confidential and intended solely for
                                    the use of the individual or entity
                                    to whom they are addressed. If you
                                    have received this email in error
                                    please notify the system manager.
                                    This message contains confidential
                                    information and is intended only for
                                    the individual named. If you are not
                                    the named addressee you should not
                                    disseminate, distribute or copy this
                                    e-mail. Please notify the sender
                                    immediately by e-mail if you have
                                    received this e-mail by mistake and
                                    delete this e-mail from your system.
                                    If you are not the intended
                                    recipient you are notified that
                                    disclosing, copying, distributing or
                                    taking any action in reliance on the
                                    contents of this information is
                                    strictly prohibited.</font></p>
                                <p><b>"<span
                                      style="color:rgb(11,83,148)"><font>SAVE

                                        PAPER - THINK BEFORE YOU PRINT!</font></span>"
                                  </b></p>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">On 19 June 2015 at 10:42,
                        Kevin Thorpe <span dir="ltr">&lt;<a
                            moz-do-not-send="true"
                            href="mailto:kevin.thorpe@p-i.net"
                            target="_blank">kevin.thorpe@p-i.net</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">Hi Marek, thanks for the quick
                            reply.
                            <div><br>
                            </div>
                            <div>1. I am definitely sure that the
                              attributes I need are in the LDAP record.</div>
                            <div><br>
                            </div>
                            <div>2. adding trace to federation.ldap
                              shows my mapped attributes being read</div>
                            <div><br>
                            </div>
                            <div>3. there is no USER_ATTRIBUTES table
                              I'm assuming you meant USER_ATTRIBUTE but
                              it doesn't have my attributes.</div>
                            <div>   it does have a reference to my
                              LDAP_ID so i8t looks like it should be
                              here</div>
                            <div><br>
                            </div>
                            <div>
                              <div>MariaDB [keycloak]&gt; select * from
                                USER_ATTRIBUTE;</div>
                              <div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                              <div><font face="monospace, monospace">|
                                  NAME    | VALUE                      
                                          | USER_ID                    
                                           |</font></div>
                              <div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                              <div><font face="monospace, monospace">|
                                  LDAP_ID |
                                  7fc89601-96e711e2-a5a7b2a9-738d4470 |
                                  471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |</font></div>
                              <div><font face="monospace, monospace">|
                                  LDAP_ID |
                                  3245fc81-55c211e2-a5a7b2a9-738d4470 |
                                  6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |</font></div>
                              <div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                            </div>
                            <div><br>
                            </div>
                            <div>thanks for your time on this</div>
                          </div>
                          <div class="gmail_extra"><br clear="all">
                            <div>
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div><font color="#000000"><b>Kevin
                                            Thorpe<br>
                                          </b></font></div>
                                      <div>CTO<br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><a moz-do-not-send="true"
                                          href="https://www.p-i.net/"
                                          target="_blank"><img
                                            src="cid:part15.02080804.08010007@redhat.com"></a> 
                                         <a moz-do-not-send="true"
                                          href="https://twitter.com/@PI_150"
                                          target="_blank"><img
                                            src="cid:part17.07080602.03000807@redhat.com"></a><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><a moz-do-not-send="true"
                                          href="http://www.p-i.net/"
                                          target="_blank">www.p-i.net</a> | <a
                                          moz-do-not-send="true"
                                          href="https://twitter.com/@PI_150"
                                          target="_blank">@PI_150</a><br>
                                      </div>
                                      <div><span
                                          style="color:rgb(81,81,81)"><br>
                                        </span></div>
                                      <div><span
                                          style="color:rgb(81,81,81)">M: <a
                                            moz-do-not-send="true"
                                            value="+447921676683">+44
                                            (0)7425 160 368</a> | T: <a
                                            moz-do-not-send="true"
                                            value="+442030056750">+44
                                            (0)203 005 6750</a> | F: <a
                                            moz-do-not-send="true"
                                            value="+442077302635">+44(0)207
                                            730 2635</a></span><br>
                                      </div>
                                      <div><font color="#515151">150
                                          Buckingham Palace Road, </font><span
                                          style="color:rgb(81,81,81)">London,
                                          SW1W 9TR, UK</span></div>
                                      <div><br>
                                        <b><span
                                            style="color:rgb(11,83,148)"> 
                                            <img moz-do-not-send="true">
                                            <img moz-do-not-send="true">
                                            <img moz-do-not-send="true"
                                              height="36" width="64"><img
                                              moz-do-not-send="true"
                                              height="44" width="116"></span></b></div>
                                      <div><font size="1">_____________________________ </font></div>
                                      <p><font size="1">This email and
                                          any files transmitted with it
                                          are confidential and intended
                                          solely for the use of the
                                          individual or entity to whom
                                          they are addressed. If you
                                          have received this email in
                                          error please notify the system
                                          manager. This message contains
                                          confidential information and
                                          is intended only for the
                                          individual named. If you are
                                          not the named addressee you
                                          should not disseminate,
                                          distribute or copy this
                                          e-mail. Please notify the
                                          sender immediately by e-mail
                                          if you have received this
                                          e-mail by mistake and delete
                                          this e-mail from your system.
                                          If you are not the intended
                                          recipient you are notified
                                          that disclosing, copying,
                                          distributing or taking any
                                          action in reliance on the
                                          contents of this information
                                          is strictly prohibited.</font></p>
                                      <p><b>"<span
                                            style="color:rgb(11,83,148)"><font>SAVE

                                              PAPER - THINK BEFORE YOU
                                              PRINT!</font></span>" </b></p>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div> <br>
                                <div class="gmail_quote">On 19 June 2015
                                  at 10:15, Marek Posolda <span
                                    dir="ltr">&lt;<a
                                      moz-do-not-send="true"
                                      href="mailto:mposolda@redhat.com"
                                      target="_blank">mposolda@redhat.com</a>&gt;</span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote"
                                    style="margin:0 0 0
                                    .8ex;border-left:1px #ccc
                                    solid;padding-left:1ex">
                                    <div bgcolor="#FFFFFF"
                                      text="#000000">
                                      <div>There are few steps here and
                                        the result will work only if all
                                        steps success. So it might help
                                        to try which step could be wrong
                                        here:<br>
                                        <br>
                                        1) You can doublecheck if your
                                        user really has 'applications'
                                        attribute in LDAP<br>
                                        <br>
                                        2) If (1) is ok, you can enable
                                        TRACE logging for
                                        "org.keycloak.federation.ldap"
                                        category in standalone.xml .
                                        With it, you should see some
                                        trace messages with the names
                                        and values of all LDAP
                                        attributes, which are loaded in
                                        user record. You should see the
                                        'applications' attribute loaded<br>
                                        <br>
                                        3) If (2) is ok, you can browse
                                        keycloak database and check if
                                        attribute 'applications' is
                                        really here. The user attributes
                                        are saved in table
                                        USER_ATTRIBUTES. Currently it's
                                        not possible to browse user
                                        attributes generically in admin
                                        console (unless you do custom
                                        theme) so browse DB seems to be
                                        the only possibility.<br>
                                        <br>
                                        4) If (3) is ok, the issue is
                                        not in LDAP interaction, but in
                                        protocol mapper configuration.
                                        Make sure you use correct
                                        protocol mapper (In your case it
                                        should be "User attributes"
                                        mapper, not "User property"
                                        mapper). Also if your
                                        application is Java based, the
                                        value of 'applications' claim is
                                        saved in accessToken in
                                        'otherClaims' map and can be
                                        retrieved with something like:
                                        accessToken.getOtherClaims().get("applications");<br>
                                        <br>
                                        Marek
                                        <div>
                                          <div><br>
                                            <br>
                                            <br>
                                            On 18.6.2015 17:50, Kevin
                                            Thorpe wrote:<br>
                                          </div>
                                        </div>
                                      </div>
                                      <blockquote type="cite">
                                        <div>
                                          <div>
                                            <div dir="ltr">
                                              <div>Thanks to the team
                                                for 1.3.1. We were
                                                eagerly waiting for that
                                                to add LDAP attribute
                                                mappings which I see has
                                                now been done.
                                                Unfortunately I can't
                                                seem to get it to work.</div>
                                              <div><br>
                                              </div>
                                              <div>I have added a user
                                                attribute mapper to my
                                                ldap federation. This
                                                maps the LDAP atribute
                                                'applications' which
                                                exists on my LDAP user
                                                record to 'applications'
                                                in Keycloak. </div>
                                              <div><br>
                                              </div>
                                              <div>I have also added a
                                                user attribute token
                                                mapper to my Keycloak
                                                client definition to map
                                                user attribute
                                                'applications' to token
                                                claim 'applications'.
                                                I've also asked to add
                                                to both id and access
                                                token.</div>
                                              <div><br>
                                              </div>
                                              <div>However this
                                                attribute is not present
                                                in either the ID or
                                                access token when
                                                testing. Is there
                                                something I've missed? </div>
                                              <div><br>
                                              </div>
                                              <div>Something that may be
                                                an issue though is that
                                                I'm using a home written
                                                openid-connect Lua
                                                client based on your
                                                javascript one. This
                                                uses the endpoint
                                                /auth/realms/master/protocol/openid-connect/token.
                                                Is it that the
                                                openid-connect endpoint
                                                doesn't support these
                                                attributes yet?</div>
                                              <br clear="all">
                                              <div>
                                                <div>
                                                  <div dir="ltr">
                                                    <div dir="ltr">
                                                      <div><font
                                                          color="#000000"><b>Kevin

                                                          Thorpe<br>
                                                          </b></font></div>
                                                      <div>CTO, PI ltd<br>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                            <br>
                                            <fieldset></fieldset>
                                            <br>
                                          </div>
                                        </div>
                                        <pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                                      </blockquote>
                                      <br>
                                    </div>
                                  </blockquote>
                                </div>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>