<div dir="ltr">Brilliant, I&#39;m waiting for it so yes I&#39;d like to try as soon as available.<div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
        <div>CTO<br></div>
        <div><br>
        </div>
        <div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a>   <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
        </div>
        <div><br>
        </div>
        <div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
        </div>
        <div><span style="color:rgb(81,81,81)"><br>
          </span></div>
        <div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
            F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
        </div>
        <div><font color="#515151">150
            Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
        <div><br><b><span style="color:rgb(11,83,148)">  <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
        <div><font size="1">_____________________________ </font></div>
        
          <p><font size="1">This email and any files transmitted with it
              are confidential and intended solely for the use of the
              individual or entity to whom they are addressed. If you
              have received this email in error please notify the system
              manager. This message contains confidential information
              and is intended only for the individual named. If you are
              not the named addressee you should not disseminate,
              distribute or copy this e-mail. Please notify the sender
              immediately by e-mail if you have received this e-mail by
              mistake and delete this e-mail from your system. If you
              are not the intended recipient you are notified that
              disclosing, copying, distributing or taking any action in
              reliance on the contents of this information is strictly
              prohibited.</font></p><p><b>&quot;<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>&quot; </b></p></div></div></div></div></div>
<br><div class="gmail_quote">On 22 June 2015 at 14:45, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Thanks for the info Kevin. I&#39;ve also
      created <a href="https://issues.jboss.org/browse/KEYCLOAK-1490" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1490</a> for the sync
      issue. Will try to address both issues for the next release. Will
      let you know once it&#39;s fixed in master if you want to try it
      before the next release is out.<br>
      <br>
      Marek<br>
      <br>
      Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):<br>
    </div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">I agree with you on the delimiter option. That
        wouldn&#39;t require any database changes. For the small
        <div>attribute applications I could wrap into a delimited string
          but we have some others for fine grained</div>
        <div>permissions/roles that can be dozens of already delimited
          strings. Roles in particular are:</div>
        <div>    application|role|path/that/role/represents</div>
        <div>I know it&#39;s very common to have multi-attributes in LDAP
          anyway so this will affect others.</div>
        <div><br>
        </div>
        <div>JIRA: <a href="https://issues.jboss.org/browse/KEYCLOAK-1487" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1487</a></div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div>
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div><font color="#000000"><b>Kevin Thorpe<br>
                      </b></font></div>
                  <div>CTO<br>
                  </div>
                  <div><br>
                  </div>
                  <div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part2.07060703.02050505@redhat.com"></a> 
                     <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part4.01000303.07020309@redhat.com"></a><br>
                  </div>
                  <div><br>
                  </div>
                  <div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
                  </div>
                  <div><span style="color:rgb(81,81,81)"><br>
                    </span></div>
                  <div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44
                        (0)7425 160 368</a> | T: <a value="+442030056750">+44
                        (0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207
                        730 2635</a></span><br>
                  </div>
                  <div><font color="#515151">150 Buckingham Palace
                      Road, </font><span style="color:rgb(81,81,81)">London,
                      SW1W 9TR, UK</span></div>
                  <div><br>
                    <b><span style="color:rgb(11,83,148)">  <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
                        <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
                        <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
                  <div><font size="1">_____________________________ </font></div>
                  <p><font size="1">This email and any files transmitted
                      with it are confidential and intended solely for
                      the use of the individual or entity to whom they
                      are addressed. If you have received this email in
                      error please notify the system manager. This
                      message contains confidential information and is
                      intended only for the individual named. If you are
                      not the named addressee you should not
                      disseminate, distribute or copy this e-mail.
                      Please notify the sender immediately by e-mail if
                      you have received this e-mail by mistake and
                      delete this e-mail from your system. If you are
                      not the intended recipient you are notified that
                      disclosing, copying, distributing or taking any
                      action in reliance on the contents of this
                      information is strictly prohibited.</font></p>
                  <p><b>&quot;<span style="color:rgb(11,83,148)"><font>SAVE
                          PAPER - THINK BEFORE YOU PRINT!</font></span>&quot;
                    </b></p>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On 19 June 2015 at 15:22, Marek Posolda
          <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Ouch, this is a bug<span><span> :-( </span></span><br>
                <br>
                Feel free to create JIRA. <br>
                <br>
                The UserModel in Keycloak DB has each attribute modelled
                as one string value. But I think I can address it with
                the usage of some delimiter and then for access token
                has the protocol mapper, which will handle it. <br>
                <br>
                So for example if your LDAP user has 3 values of
                attribute &quot;applications&quot; with values &quot;finance&quot;, &quot;sales&quot;,
                &quot;development&quot;, the attribute on the Keycloak UserModel
                will have value like &quot;finance###sales###development&quot;
                (The sequence ### will be used as delimiter), but for
                the access token it will be divided again. So in your
                application, you will have possibility to have something
                like:<br>
                <br>
                Set&lt;String&gt; applications =
                accessToken.getOtherClaims().getAttribute(&quot;applications&quot;);<br>
                <br>
                which will return set with 3 values &quot;finance&quot;, &quot;sales&quot;,
                &quot;development&quot;.<span><font color="#888888"><br>
                    <br>
                    Marek</font></span>
                <div>
                  <div><br>
                    <br>
                    On 19.6.2015 15:22, Kevin Thorpe wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div>
                  <blockquote type="cite">
                    <div dir="ltr">Ok, I think I understand. I tried
                      &#39;sync all users&#39; and got an error. Is this because
                      applications is a multiple
                      <div>attribute? Obviously I will probably have
                        access to more than one application. In the
                        meantime I&#39;ll try a brand </div>
                      <div>new user and see if that works.<br>
                        <div><br>
                        </div>
                        <div>Log shows:
                          <div><br>
                          </div>
                          <div>
                            <div>2015-06-19 14:19:26,361 INFO
                               [org.keycloak.federation.ldap.LDAPFederationProviderFactory]
                              (default task-2) Sync all users from LDAP
                              to local store: realm: master, federation
                              provider: PI  ordinary users</div>
                            <div>2015-06-19 14:19:26,611 ERROR
                              [io.undertow.request] (default task-2)
                              UT005023: Exception handling request to
                              /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:

                              java.lang.RuntimeException: request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div>
                            <div>        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div>
                            <div>        at
                              io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
                            <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
                            <div>        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div>
                            <div>        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
                            <div>        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
                            <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
                            <div>        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
                            <div>        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
                            <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
                            <div>        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
                            <div>        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
                            <div>        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div>
                            <div>        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div>
                            <div>        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
                            <div>        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div>
                            <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
                            <div>        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
                            <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
                            <div>        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div>
                            <div>        at
                              io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div>
                            <div>        at
                              io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div>
                            <div>        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
                            <div>        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
                            <div>        at
                              java.lang.Thread.run(Thread.java:745)</div>
                            <div>Caused by:
                              org.jboss.resteasy.spi.UnhandledException:
                              java.lang.ClassCastException:
                              java.util.TreeSet cannot be cast to
                              java.lang.String</div>
                            <div>        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div>
                            <div>        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div>
                            <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div>
                            <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div>
                            <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div>
                            <div>        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div>
                            <div>        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
                            <div>        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
                            <div>        at
                              javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
                            <div>        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div>
                            <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div>
                            <div>        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div>
                            <div>        at
                              io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
                            <div>        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
                            <div>        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div>
                            <div>        ... 29 more</div>
                            <div>Caused by:
                              java.lang.ClassCastException:
                              java.util.TreeSet cannot be cast to
                              java.lang.String</div>
                            <div>        at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div>
                            <div>        at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div>
                            <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div>
                            <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div>
                            <div>        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div>
                            <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div>
                            <div>        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div>
                            <div>        at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div>
                            <div>        at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div>
                            <div>        at
                              sun.reflect.NativeMethodAccessorImpl.invoke0(Native
                              Method)</div>
                            <div>        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
                            <div>        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
                            <div>        at
                              java.lang.reflect.Method.invoke(Method.java:497)</div>
                            <div>        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
                            <div>        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div>
                            <div>        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div>
                            <div>        ... 40 more</div>
                          </div>
                          <div><br>
                          </div>
                        </div>
                      </div>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div><font color="#000000"><b>Kevin
                                      Thorpe<br>
                                    </b></font></div>
                                <div>CTO<br>
                                </div>
                                <div><br>
                                </div>
                                <div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part16.05090605.06050004@redhat.com"></a> 
                                   <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part18.06030705.01070407@redhat.com"></a><br>
                                </div>
                                <div><br>
                                </div>
                                <div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
                                </div>
                                <div><span style="color:rgb(81,81,81)"><br>
                                  </span></div>
                                <div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425
                                      160 368</a> | T: <a value="+442030056750">+44 (0)203
                                      005 6750</a> | F: <a value="+442077302635">+44(0)207
                                      730 2635</a></span><br>
                                </div>
                                <div><font color="#515151">150
                                    Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London,
                                    SW1W 9TR, UK</span></div>
                                <div><br>
                                  <b><span style="color:rgb(11,83,148)"> 
                                      <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
                                      <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
                                      <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
                                <div><font size="1">_____________________________ </font></div>
                                <p><font size="1">This email and any
                                    files transmitted with it are
                                    confidential and intended solely for
                                    the use of the individual or entity
                                    to whom they are addressed. If you
                                    have received this email in error
                                    please notify the system manager.
                                    This message contains confidential
                                    information and is intended only for
                                    the individual named. If you are not
                                    the named addressee you should not
                                    disseminate, distribute or copy this
                                    e-mail. Please notify the sender
                                    immediately by e-mail if you have
                                    received this e-mail by mistake and
                                    delete this e-mail from your system.
                                    If you are not the intended
                                    recipient you are notified that
                                    disclosing, copying, distributing or
                                    taking any action in reliance on the
                                    contents of this information is
                                    strictly prohibited.</font></p>
                                <p><b>&quot;<span style="color:rgb(11,83,148)"><font>SAVE

                                        PAPER - THINK BEFORE YOU PRINT!</font></span>&quot;
                                  </b></p>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">On 19 June 2015 at 13:50,
                        Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div>Thanks for the info. Now I think I know
                              what&#39;s going on.<br>
                              <br>
                              The issue is that currently when we import
                              users from LDAP (federation in general),
                              we sync the configured attributes to the
                              Keycloak DB. But during searching, we
                              don&#39;t sync the attributes from LDAP to
                              Keycloak DB anymore. So I guess you did
                              the steps like this:<br>
                              - You first authenticate as LDAP user
                              &quot;joe&quot; (or search this user from admin
                              console), which imported this user into
                              Keycloak DB<br>
                              - Then you created mapper for the
                              &#39;applications&#39; attribute. But user &#39;joe&#39;
                              was already imported into Keycloak DB from
                              the previous step, right?<br>
                              <br>
                              I believe that when you import some other
                              user from LDAP, which is not yet exist in
                              Keycloak DB, the &#39;applications&#39; attribute
                              will be there. For the existing user, the
                              only possibility right now is to use
                              &quot;Synchronize all users&quot; or &quot;Synchronize
                              changed users&quot; on LDAP federation screen.
                              This will update existing users into
                              Keycloak DB as well, so &#39;joe&#39; will be
                              updated.<br>
                              <br>
                              Please let me know if it helps.  Looks
                              that it&#39;s something we should address
                              better in Keycloak.<span><font color="#888888"><br>
                                  <br>
                                  Marek</font></span>
                              <div>
                                <div><br>
                                  <br>
                                  On 19.6.2015 11:56, Kevin Thorpe
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div>
                                <blockquote type="cite">
                                  <div dir="ltr">I had a hunch so I
                                    added a record in USER_ATTRIBUTE for
                                    applications and it is getting
                                    passed
                                    <div>in the JWT claims now. That
                                      squarely points at the ldap
                                      federation part.</div>
                                  </div>
                                  <div class="gmail_extra"><br clear="all">
                                    <div>
                                      <div>
                                        <div dir="ltr">
                                          <div>
                                            <div dir="ltr">
                                              <div><font color="#000000"><b>Kevin

                                                    Thorpe<br>
                                                  </b></font></div>
                                              <div>CTO<br>
                                              </div>
                                              <div><br>
                                              </div>
                                              <div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part30.01000507.01040806@redhat.com"></a> 
                                                 <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part32.04010500.05090407@redhat.com"></a><br>
                                              </div>
                                              <div><br>
                                              </div>
                                              <div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
                                              </div>
                                              <div><span style="color:rgb(81,81,81)"><br>
                                                </span></div>
                                              <div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> |
                                                  T: <a value="+442030056750">+44 (0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
                                              </div>
                                              <div><font color="#515151">150

                                                  Buckingham Palace
                                                  Road, </font><span style="color:rgb(81,81,81)">London,

                                                  SW1W 9TR, UK</span></div>
                                              <div><br>
                                                <b><span style="color:rgb(11,83,148)"> 
                                                    <img>
                                                    <img>
                                                    <img height="36" width="64"><img height="44" width="116"></span></b></div>
                                              <div><font size="1">_____________________________ </font></div>
                                              <p><font size="1">This
                                                  email and any files
                                                  transmitted with it
                                                  are confidential and
                                                  intended solely for
                                                  the use of the
                                                  individual or entity
                                                  to whom they are
                                                  addressed. If you have
                                                  received this email in
                                                  error please notify
                                                  the system manager.
                                                  This message contains
                                                  confidential
                                                  information and is
                                                  intended only for the
                                                  individual named. If
                                                  you are not the named
                                                  addressee you should
                                                  not disseminate,
                                                  distribute or copy
                                                  this e-mail. Please
                                                  notify the sender
                                                  immediately by e-mail
                                                  if you have received
                                                  this e-mail by mistake
                                                  and delete this e-mail
                                                  from your system. If
                                                  you are not the
                                                  intended recipient you
                                                  are notified that
                                                  disclosing, copying,
                                                  distributing or taking
                                                  any action in reliance
                                                  on the contents of
                                                  this information is
                                                  strictly prohibited.</font></p>
                                              <p><b>&quot;<span style="color:rgb(11,83,148)"><font>SAVE


                                                      PAPER - THINK
                                                      BEFORE YOU PRINT!</font></span>&quot;
                                                </b></p>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                    <br>
                                    <div class="gmail_quote">On 19 June
                                      2015 at 10:42, Kevin Thorpe <span dir="ltr">&lt;<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>&gt;</span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div dir="ltr">Hi Marek, thanks
                                          for the quick reply.
                                          <div><br>
                                          </div>
                                          <div>1. I am definitely sure
                                            that the attributes I need
                                            are in the LDAP record.</div>
                                          <div><br>
                                          </div>
                                          <div>2. adding trace to
                                            federation.ldap shows my
                                            mapped attributes being read</div>
                                          <div><br>
                                          </div>
                                          <div>3. there is no
                                            USER_ATTRIBUTES table I&#39;m
                                            assuming you meant
                                            USER_ATTRIBUTE but it
                                            doesn&#39;t have my attributes.</div>
                                          <div>   it does have a
                                            reference to my LDAP_ID so
                                            i8t looks like it should be
                                            here</div>
                                          <div><br>
                                          </div>
                                          <div>
                                            <div>MariaDB [keycloak]&gt;
                                              select * from
                                              USER_ATTRIBUTE;</div>
                                            <div><font face="monospace,
                                                monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                                            <div><font face="monospace,
                                                monospace">| NAME    |
                                                VALUE                  
                                                            | USER_ID  
                                                                       
                                                   |</font></div>
                                            <div><font face="monospace,
                                                monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                                            <div><font face="monospace,
                                                monospace">| LDAP_ID |
                                                7fc89601-96e711e2-a5a7b2a9-738d4470
                                                |
                                                471f0b4f-cb7c-4610-b3d6-ddd3a18e9986
                                                |</font></div>
                                            <div><font face="monospace,
                                                monospace">| LDAP_ID |
                                                3245fc81-55c211e2-a5a7b2a9-738d4470
                                                |
                                                6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4
                                                |</font></div>
                                            <div><font face="monospace,
                                                monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
                                          </div>
                                          <div><br>
                                          </div>
                                          <div>thanks for your time on
                                            this</div>
                                        </div>
                                        <div class="gmail_extra"><br clear="all">
                                          <div>
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div><font color="#000000"><b>Kevin

                                                          Thorpe<br>
                                                        </b></font></div>
                                                    <div>CTO<br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part30.01000507.01040806@redhat.com"></a> 
                                                       <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part32.04010500.05090407@redhat.com"></a><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
                                                    </div>
                                                    <div><span style="color:rgb(81,81,81)"><br>
                                                      </span></div>
                                                    <div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> |
                                                        T: <a value="+442030056750">+44 (0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
                                                    </div>
                                                    <div><font color="#515151">150

                                                        Buckingham
                                                        Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
                                                    <div><br>
                                                      <b><span style="color:rgb(11,83,148)"> 
                                                          <img>
                                                          <img>
                                                          <img height="36" width="64"><img height="44" width="116"></span></b></div>
                                                    <div><font size="1">_____________________________ </font></div>
                                                    <p><font size="1">This
                                                        email and any
                                                        files
                                                        transmitted with
                                                        it are
                                                        confidential and
                                                        intended solely
                                                        for the use of
                                                        the individual
                                                        or entity to
                                                        whom they are
                                                        addressed. If
                                                        you have
                                                        received this
                                                        email in error
                                                        please notify
                                                        the system
                                                        manager. This
                                                        message contains
                                                        confidential
                                                        information and
                                                        is intended only
                                                        for the
                                                        individual
                                                        named. If you
                                                        are not the
                                                        named addressee
                                                        you should not
                                                        disseminate,
                                                        distribute or
                                                        copy this
                                                        e-mail. Please
                                                        notify the
                                                        sender
                                                        immediately by
                                                        e-mail if you
                                                        have received
                                                        this e-mail by
                                                        mistake and
                                                        delete this
                                                        e-mail from your
                                                        system. If you
                                                        are not the
                                                        intended
                                                        recipient you
                                                        are notified
                                                        that disclosing,
                                                        copying,
                                                        distributing or
                                                        taking any
                                                        action in
                                                        reliance on the
                                                        contents of this
                                                        information is
                                                        strictly
                                                        prohibited.</font></p>
                                                    <p><b>&quot;<span style="color:rgb(11,83,148)"><font>SAVE


                                                          PAPER - THINK
                                                          BEFORE YOU
                                                          PRINT!</font></span>&quot;
                                                      </b></p>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                          <div>
                                            <div> <br>
                                              <div class="gmail_quote">On
                                                19 June 2015 at 10:15,
                                                Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
                                                wrote:<br>
                                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                  <div bgcolor="#FFFFFF" text="#000000">
                                                    <div>There are few
                                                      steps here and the
                                                      result will work
                                                      only if all steps
                                                      success. So it
                                                      might help to try
                                                      which step could
                                                      be wrong here:<br>
                                                      <br>
                                                      1) You can
                                                      doublecheck if
                                                      your user really
                                                      has &#39;applications&#39;
                                                      attribute in LDAP<br>
                                                      <br>
                                                      2) If (1) is ok,
                                                      you can enable
                                                      TRACE logging for
                                                      &quot;org.keycloak.federation.ldap&quot;

                                                      category in
                                                      standalone.xml .
                                                      With it, you
                                                      should see some
                                                      trace messages
                                                      with the names and
                                                      values of all LDAP
                                                      attributes, which
                                                      are loaded in user
                                                      record. You should
                                                      see the
                                                      &#39;applications&#39;
                                                      attribute loaded<br>
                                                      <br>
                                                      3) If (2) is ok,
                                                      you can browse
                                                      keycloak database
                                                      and check if
                                                      attribute
                                                      &#39;applications&#39; is
                                                      really here. The
                                                      user attributes
                                                      are saved in table
                                                      USER_ATTRIBUTES.
                                                      Currently it&#39;s not
                                                      possible to browse
                                                      user attributes
                                                      generically in
                                                      admin console
                                                      (unless you do
                                                      custom theme) so
                                                      browse DB seems to
                                                      be the only
                                                      possibility.<br>
                                                      <br>
                                                      4) If (3) is ok,
                                                      the issue is not
                                                      in LDAP
                                                      interaction, but
                                                      in protocol mapper
                                                      configuration.
                                                      Make sure you use
                                                      correct protocol
                                                      mapper (In your
                                                      case it should be
                                                      &quot;User attributes&quot;
                                                      mapper, not &quot;User
                                                      property&quot; mapper).
                                                      Also if your
                                                      application is
                                                      Java based, the
                                                      value of
                                                      &#39;applications&#39;
                                                      claim is saved in
                                                      accessToken in
                                                      &#39;otherClaims&#39; map
                                                      and can be
                                                      retrieved with
                                                      something like:
                                                      accessToken.getOtherClaims().get(&quot;applications&quot;);<br>
                                                      <br>
                                                      Marek
                                                      <div>
                                                        <div><br>
                                                          <br>
                                                          <br>
                                                          On 18.6.2015
                                                          17:50, Kevin
                                                          Thorpe wrote:<br>
                                                        </div>
                                                      </div>
                                                    </div>
                                                    <blockquote type="cite">
                                                      <div>
                                                        <div>
                                                          <div dir="ltr">
                                                          <div>Thanks to
                                                          the team for
                                                          1.3.1. We were
                                                          eagerly
                                                          waiting for
                                                          that to add
                                                          LDAP attribute
                                                          mappings which
                                                          I see has now
                                                          been done.
                                                          Unfortunately
                                                          I can&#39;t seem
                                                          to get it to
                                                          work.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I have
                                                          added a user
                                                          attribute
                                                          mapper to my
                                                          ldap
                                                          federation.
                                                          This maps the
                                                          LDAP atribute
                                                          &#39;applications&#39;
                                                          which exists
                                                          on my LDAP
                                                          user record to
                                                          &#39;applications&#39;
                                                          in Keycloak. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I have
                                                          also added a
                                                          user attribute
                                                          token mapper
                                                          to my Keycloak
                                                          client
                                                          definition to
                                                          map user
                                                          attribute
                                                          &#39;applications&#39;
                                                          to token claim
                                                          &#39;applications&#39;.

                                                          I&#39;ve also
                                                          asked to add
                                                          to both id and
                                                          access token.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>However
                                                          this attribute
                                                          is not present
                                                          in either the
                                                          ID or access
                                                          token when
                                                          testing. Is
                                                          there
                                                          something I&#39;ve
                                                          missed? </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Something
                                                          that may be an
                                                          issue though
                                                          is that I&#39;m
                                                          using a home
                                                          written
                                                          openid-connect
                                                          Lua client
                                                          based on your
                                                          javascript
                                                          one. This uses
                                                          the endpoint
                                                          /auth/realms/master/protocol/openid-connect/token.
                                                          Is it that the
                                                          openid-connect
                                                          endpoint
                                                          doesn&#39;t
                                                          support these
                                                          attributes
                                                          yet?</div>
                                                          <br clear="all">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div><font color="#000000"><b>Kevin


                                                          Thorpe<br>
                                                          </b></font></div>
                                                          <div>CTO, PI
                                                          ltd<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                        </div>
                                                      </div>
                                                      <pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                                                    </blockquote>
                                                    <br>
                                                  </div>
                                                </blockquote>
                                              </div>
                                              <br>
                                            </div>
                                          </div>
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>