<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Kevin,<br>
<br>
Great to hear that things work well for you. Were you able to find
the "mappers" page in admin console after all?<br>
<br>
Thanks,<br>
Marek<br>
<br>
On 31.7.2015 12:46, Kevin Thorpe wrote:<br>
</div>
<blockquote
cite="mid:CAFMa6BYiZKSKfhA=OcmL2px4untUkxRQ6wRMBhAg5V0-iWxVNg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marek, thank you and your colleagues very much
for working on the LDAP mapping for us.
<div>Works like a charm. This was holding us up so we're very
grateful that it was accomplished </div>
<div>so quickly.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part1.05020309.05080706@redhat.com"></a>
<a moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part3.04020805.04090902@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44
(0)7425 160 368</a> | T: <a
moz-do-not-send="true" value="+442030056750">+44
(0)203 005 6750</a> | F: <a
moz-do-not-send="true" value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace
Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36" width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted
with it are confidential and intended solely for
the use of the individual or entity to whom they
are addressed. If you have received this email in
error please notify the system manager. This
message contains confidential information and is
intended only for the individual named. If you are
not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system. If you are
not the intended recipient you are notified that
disclosing, copying, distributing or taking any
action in reliance on the contents of this
information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 31 July 2015 at 10:23, Kevin Thorpe
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Sorry to bother you but where has the user
federation mapper option gone in 1.4.0.final?
<div><br>
</div>
<div>IIRC there was a page user federation > my_ldap
> mapper to map LDAP attributes to </div>
<div>keycloak user attributes. I can't find it now at all.</div>
</div>
<div class="gmail_extra"><span class=""><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.p-i.net/"
target="_blank"><img
src="cid:part1.05020309.05080706@redhat.com"></a>
<a moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank"><img
src="cid:part3.04020805.04090902@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true"
value="+447921676683">+44 (0)7425 160
368</a> | T: <a moz-do-not-send="true"
value="+442030056750">+44 (0)203 005
6750</a> | F: <a moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W
9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36" width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files
transmitted with it are confidential and
intended solely for the use of the
individual or entity to whom they are
addressed. If you have received this email
in error please notify the system manager.
This message contains confidential
information and is intended only for the
individual named. If you are not the named
addressee you should not disseminate,
distribute or copy this e-mail. Please
notify the sender immediately by e-mail if
you have received this e-mail by mistake
and delete this e-mail from your system.
If you are not the intended recipient you
are notified that disclosing, copying,
distributing or taking any action in
reliance on the contents of this
information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div class="h5">
<div class="gmail_quote">On 22 June 2015 at 14:49,
Kevin Thorpe <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:kevin.thorpe@p-i.net"
target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Brilliant, I'm waiting for it so
yes I'd like to try as soon as available.
<div><br>
</div>
</div>
<div class="gmail_extra"><span><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.p-i.net/"
target="_blank"><img
src="cid:part1.05020309.05080706@redhat.com"></a>
<a moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank"><img
src="cid:part3.04020805.04090902@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www.p-i.net/"
target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true"
value="+447921676683">+44
(0)7425 160 368</a> | T: <a
moz-do-not-send="true"
value="+442030056750">+44
(0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span
style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36" width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any
files transmitted with it are
confidential and intended solely
for the use of the individual or
entity to whom they are
addressed. If you have received
this email in error please
notify the system manager. This
message contains confidential
information and is intended only
for the individual named. If you
are not the named addressee you
should not disseminate,
distribute or copy this e-mail.
Please notify the sender
immediately by e-mail if you
have received this e-mail by
mistake and delete this e-mail
from your system. If you are not
the intended recipient you are
notified that disclosing,
copying, distributing or taking
any action in reliance on the
contents of this information is
strictly prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU
PRINT!</font></span>" </b></p>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div>
<div class="gmail_quote">On 22 June 2015 at
14:45, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks for the info Kevin. I've
also created <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1490"
target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1490</a>
for the sync issue. Will try to
address both issues for the next
release. Will let you know once it's
fixed in master if you want to try
it before the next release is out.<br>
<br>
Marek<br>
<br>
Dne 19.6.2015 v 17:45 Kevin Thorpe
napsal(a):<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">I agree with you
on the delimiter option. That
wouldn't require any database
changes. For the small
<div>attribute applications I
could wrap into a delimited
string but we have some
others for fine grained</div>
<div>permissions/roles that
can be dozens of already
delimited strings. Roles in
particular are:</div>
<div>
application|role|path/that/role/represents</div>
<div>I know it's very common
to have multi-attributes in
LDAP anyway so this will
affect others.</div>
<div><br>
</div>
<div>JIRA: <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1487"
target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1487</a></div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part45.07010808.04090902@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part47.03090109.03040102@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font
color="#515151">150
Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36"
width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44"
width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This
email and any
files
transmitted with
it are
confidential and
intended solely
for the use of
the individual
or entity to
whom they are
addressed. If
you have
received this
email in error
please notify
the system
manager. This
message contains
confidential
information and
is intended only
for the
individual
named. If you
are not the
named addressee
you should not
disseminate,
distribute or
copy this
e-mail. Please
notify the
sender
immediately by
e-mail if you
have received
this e-mail by
mistake and
delete this
e-mail from your
system. If you
are not the
intended
recipient you
are notified
that disclosing,
copying,
distributing or
taking any
action in
reliance on the
contents of this
information is
strictly
prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU
PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19
June 2015 at 15:22, Marek
Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Ouch, this is a bug<span><span>
:-( </span></span><br>
<br>
Feel free to create
JIRA. <br>
<br>
The UserModel in
Keycloak DB has each
attribute modelled as
one string value. But
I think I can address
it with the usage of
some delimiter and
then for access token
has the protocol
mapper, which will
handle it. <br>
<br>
So for example if your
LDAP user has 3 values
of attribute
"applications" with
values "finance",
"sales",
"development", the
attribute on the
Keycloak UserModel
will have value like
"finance###sales###development"
(The sequence ### will
be used as delimiter),
but for the access
token it will be
divided again. So in
your application, you
will have possibility
to have something
like:<br>
<br>
Set<String>
applications =
accessToken.getOtherClaims().getAttribute("applications");<br>
<br>
which will return set
with 3 values
"finance", "sales",
"development".<span><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 19.6.2015
15:22, Kevin
Thorpe wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">Ok,
I think I
understand. I
tried 'sync all
users' and got
an error. Is
this because
applications is
a multiple
<div>attribute?
Obviously I
will probably
have access to
more than one
application.
In the
meantime I'll
try a brand </div>
<div>new user
and see if
that works.<br>
<div><br>
</div>
<div>Log
shows:
<div><br>
</div>
<div>
<div>2015-06-19
14:19:26,361
INFO
[org.keycloak.federation.ldap.LDAPFederationProviderFactory]
(default
task-2) Sync
all users from
LDAP to local
store: realm:
master,
federation
provider: PI
ordinary
users</div>
<div>2015-06-19
14:19:26,611
ERROR
[io.undertow.request]
(default
task-2)
UT005023:
Exception
handling
request to
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
java.lang.RuntimeException:
request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div>
<div>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div>
<div>
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div>
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div>
<div>
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
<div>
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
<div>
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
<div>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div>
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
<div>
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
<div>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div>
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
<div>
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
<div>
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div>
<div>
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div>
<div>
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
<div>
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div>
<div>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div>
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
<div>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div>
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div>
<div>
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div>
<div>
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div>
<div>
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div>
<div>
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div>
<div>
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div>
<div>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
<div>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
<div>
at
java.lang.Thread.run(Thread.java:745)</div>
<div>Caused
by:
org.jboss.resteasy.spi.UnhandledException:
java.lang.ClassCastException:
java.util.TreeSet
cannot be cast
to
java.lang.String</div>
<div>
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div>
<div>
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div>
<div>
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div>
<div>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div>
<div>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div>
<div>
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div>
<div>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
<div>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
<div>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
<div>
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div>
<div>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div>
<div>
at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div>
<div>
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div>
<div>
... 29 more</div>
<div>Caused
by:
java.lang.ClassCastException:
java.util.TreeSet
cannot be cast
to
java.lang.String</div>
<div>
at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div>
<div>
at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div>
<div>
at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div>
<div>
at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div>
<div>
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div>
<div>
at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div>
<div>
at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div>
<div>
at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div>
<div>
at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div>
<div>
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</div>
<div>
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
<div>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div>
at
java.lang.reflect.Method.invoke(Method.java:497)</div>
<div>
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div>
<div>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div>
<div>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div>
<div>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div>
<div>
... 40 more</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part59.07060405.03010204@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part61.08010407.09030100@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font
color="#515151">150
Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36"
width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44"
width="116"></span></b></div>
<div><font
size="1">_____________________________ </font></div>
<p><font
size="1">This
email and any
files
transmitted
with it are
confidential
and intended
solely for the
use of the
individual or
entity to whom
they are
addressed. If
you have
received this
email in error
please notify
the system
manager. This
message
contains
confidential
information
and is
intended only
for the
individual
named. If you
are not the
named
addressee you
should not
disseminate,
distribute or
copy this
e-mail. Please
notify the
sender
immediately by
e-mail if you
have received
this e-mail by
mistake and
delete this
e-mail from
your system.
If you are not
the intended
recipient you
are notified
that
disclosing,
copying,
distributing
or taking any
action in
reliance on
the contents
of this
information is
strictly
prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU
PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div
class="gmail_quote">On
19 June 2015
at 13:50,
Marek Posolda
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Thanks
for the info.
Now I think I
know what's
going on.<br>
<br>
The issue is
that currently
when we import
users from
LDAP
(federation in
general), we
sync the
configured
attributes to
the Keycloak
DB. But during
searching, we
don't sync the
attributes
from LDAP to
Keycloak DB
anymore. So I
guess you did
the steps like
this:<br>
- You first
authenticate
as LDAP user
"joe" (or
search this
user from
admin
console),
which imported
this user into
Keycloak DB<br>
- Then you
created mapper
for the
'applications'
attribute. But
user 'joe' was
already
imported into
Keycloak DB
from the
previous step,
right?<br>
<br>
I believe that
when you
import some
other user
from LDAP,
which is not
yet exist in
Keycloak DB,
the
'applications'
attribute will
be there. For
the existing
user, the only
possibility
right now is
to use
"Synchronize
all users" or
"Synchronize
changed users"
on LDAP
federation
screen. This
will update
existing users
into Keycloak
DB as well, so
'joe' will be
updated.<br>
<br>
Please let me
know if it
helps. Looks
that it's
something we
should address
better in
Keycloak.<span><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 19.6.2015
11:56, Kevin
Thorpe wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">I
had a hunch so
I added a
record in
USER_ATTRIBUTE
for
applications
and it is
getting passed
<div>in the
JWT claims
now. That
squarely
points at the
ldap
federation
part.</div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part73.00040703.00090101@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part75.03080000.05030700@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font
color="#515151">150
Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true"
height="36"
width="64"><img
moz-do-not-send="true" height="44" width="116"></span></b></div>
<div><font
size="1">_____________________________ </font></div>
<p><font
size="1">This
email and any
files
transmitted
with it are
confidential
and intended
solely for the
use of the
individual or
entity to whom
they are
addressed. If
you have
received this
email in error
please notify
the system
manager. This
message
contains
confidential
information
and is
intended only
for the
individual
named. If you
are not the
named
addressee you
should not
disseminate,
distribute or
copy this
e-mail. Please
notify the
sender
immediately by
e-mail if you
have received
this e-mail by
mistake and
delete this
e-mail from
your system.
If you are not
the intended
recipient you
are notified
that
disclosing,
copying,
distributing
or taking any
action in
reliance on
the contents
of this
information is
strictly
prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU
PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div
class="gmail_quote">On
19 June 2015
at 10:42,
Kevin Thorpe <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:kevin.thorpe@p-i.net"
target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi
Marek, thanks
for the quick
reply.
<div><br>
</div>
<div>1. I am
definitely
sure that the
attributes I
need are in
the LDAP
record.</div>
<div><br>
</div>
<div>2. adding
trace to
federation.ldap
shows my
mapped
attributes
being read</div>
<div><br>
</div>
<div>3. there
is no
USER_ATTRIBUTES
table I'm
assuming you
meant
USER_ATTRIBUTE
but it doesn't
have my
attributes.</div>
<div> it
does have a
reference to
my LDAP_ID so
i8t looks like
it should be
here</div>
<div><br>
</div>
<div>
<div>MariaDB
[keycloak]>
select * from
USER_ATTRIBUTE;</div>
<div><font
face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font
face="monospace,
monospace">|
NAME |
VALUE
|
USER_ID
|</font></div>
<div><font
face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font
face="monospace,
monospace">|
LDAP_ID |
7fc89601-96e711e2-a5a7b2a9-738d4470
|
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986
|</font></div>
<div><font
face="monospace,
monospace">|
LDAP_ID |
3245fc81-55c211e2-a5a7b2a9-738d4470
|
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4
|</font></div>
<div><font
face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
</div>
<div><br>
</div>
<div>thanks
for your time
on this</div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part73.00040703.00090101@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part75.03080000.05030700@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font
color="#515151">150
Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true"
height="36"
width="64"><img
moz-do-not-send="true" height="44" width="116"></span></b></div>
<div><font
size="1">_____________________________ </font></div>
<p><font
size="1">This
email and any
files
transmitted
with it are
confidential
and intended
solely for the
use of the
individual or
entity to whom
they are
addressed. If
you have
received this
email in error
please notify
the system
manager. This
message
contains
confidential
information
and is
intended only
for the
individual
named. If you
are not the
named
addressee you
should not
disseminate,
distribute or
copy this
e-mail. Please
notify the
sender
immediately by
e-mail if you
have received
this e-mail by
mistake and
delete this
e-mail from
your system.
If you are not
the intended
recipient you
are notified
that
disclosing,
copying,
distributing
or taking any
action in
reliance on
the contents
of this
information is
strictly
prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU
PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div> <br>
<div
class="gmail_quote">On
19 June 2015
at 10:15,
Marek Posolda
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>There are
few steps here
and the result
will work only
if all steps
success. So it
might help to
try which step
could be wrong
here:<br>
<br>
1) You can
doublecheck if
your user
really has
'applications'
attribute in
LDAP<br>
<br>
2) If (1) is
ok, you can
enable TRACE
logging for
"org.keycloak.federation.ldap"
category in
standalone.xml
. With it, you
should see
some trace
messages with
the names and
values of all
LDAP
attributes,
which are
loaded in user
record. You
should see the
'applications'
attribute
loaded<br>
<br>
3) If (2) is
ok, you can
browse
keycloak
database and
check if
attribute
'applications'
is really
here. The user
attributes are
saved in table
USER_ATTRIBUTES.
Currently it's
not possible
to browse user
attributes
generically in
admin console
(unless you do
custom theme)
so browse DB
seems to be
the only
possibility.<br>
<br>
4) If (3) is
ok, the issue
is not in LDAP
interaction,
but in
protocol
mapper
configuration.
Make sure you
use correct
protocol
mapper (In
your case it
should be
"User
attributes"
mapper, not
"User
property"
mapper). Also
if your
application is
Java based,
the value of
'applications'
claim is saved
in accessToken
in
'otherClaims'
map and can be
retrieved with
something
like:
accessToken.getOtherClaims().get("applications");<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 18.6.2015
17:50, Kevin
Thorpe wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">
<div>Thanks to
the team for
1.3.1. We were
eagerly
waiting for
that to add
LDAP attribute
mappings which
I see has now
been done.
Unfortunately
I can't seem
to get it to
work.</div>
<div><br>
</div>
<div>I have
added a user
attribute
mapper to my
ldap
federation.
This maps the
LDAP atribute
'applications'
which exists
on my LDAP
user record to
'applications'
in Keycloak. </div>
<div><br>
</div>
<div>I have
also added a
user attribute
token mapper
to my Keycloak
client
definition to
map user
attribute
'applications'
to token claim
'applications'.
I've also
asked to add
to both id and
access token.</div>
<div><br>
</div>
<div>However
this attribute
is not present
in either the
ID or access
token when
testing. Is
there
something I've
missed? </div>
<div><br>
</div>
<div>Something
that may be an
issue though
is that I'm
using a home
written
openid-connect
Lua client
based on your
javascript
one. This uses
the endpoint
/auth/realms/master/protocol/openid-connect/token.
Is it that the
openid-connect
endpoint
doesn't
support these
attributes
yet?</div>
<br
clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO, PI
ltd<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>