<div dir="ltr">I'm trying to use ADFS as a SAML identity provider, then use OIDC to authenticate an application on JBoss EAP.<div><br></div><div>The IDP redirects to AD and back to Keycloak seem to work fine, and a list of groups is provided as an assertion. When I debug within the protected application, however, the groups from the SAML assertion are not passed through. If I make a role in Keycloak and manually assign it to a user, it does get passed through. </div><div><br></div><div>Is this something that should be supported and I'm just not configuring something right?</div><div><br></div><div>Environment: Keycloak 1.9.2.Final running on OpenShift Enterprise 3.1.</div><div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="1">----</font><br><span><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(32,18,77);font-weight:bold;vertical-align:baseline;white-space:pre-wrap">Jason Hobbs</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11px;font-family:Arial;color:rgb(68,68,68);vertical-align:baseline;white-space:pre-wrap">Lead Engineer Shop Floor Systems</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11px;font-family:Arial;color:rgb(68,68,68);vertical-align:baseline;white-space:pre-wrap">Email: </span><span style="font-size:11px;font-family:Arial;color:rgb(17,85,204);vertical-align:baseline;white-space:pre-wrap"><a href="mailto:Jason.Hobbs@shawinc.com" target="_blank">Jason.Hobbs@shawinc.com</a></span><span style="font-size:11px;font-family:Arial;color:rgb(68,68,68);vertical-align:baseline;white-space:pre-wrap"> | Office: (706) 532-3858 | </span><a href="https://www.google.com/calendar/embed?src=jason.hobbs@shawinc.com&ctz=America/New_York&mode=week&pli=1" style="text-decoration:none" target="_blank"><span style="font-size:11px;font-family:Arial;color:rgb(17,85,204);text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Calendar</span></a></p><span style="font-size:11px;font-family:Arial;color:rgb(68,68,68);font-weight:bold;vertical-align:baseline;white-space:pre-wrap">Shaw Industries Group Inc. | </span><span style="font-size:11px;font-family:Arial;color:rgb(68,68,68);vertical-align:baseline;white-space:pre-wrap">201 S. Hamilton St., Dalton, GA 30720 | MD 0IS-01 | </span><a href="http://shawfloors.com/" style="text-decoration:none" target="_blank"><span style="font-size:11px;font-family:Arial;color:rgb(17,85,204);text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">shawfloors.com</span></a></span><br></div></div></div></div></div></div></div></div></div>
</div></div>
<br>
<div><font face="Arial" size="1">******************************<WBR>****************************</font></div><div><font face="Arial" size="1">Privileged and/or confidential information may be contained in this message. If you are not the addressee indicated in this message (or are not responsible for delivery of this message to that person) , you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender by reply e-mail.</font></div><div><font face="Arial" size="1">If you or your employer do not consent to Internet e-mail for messages of this kind, please advise the sender.</font></div><div><font face="Arial" size="1">Shaw Industries does not provide or endorse any opinions, conclusions or other information in this message that do not relate to the official business of the company or its subsidiaries.</font></div><div><font face="Arial" size="1">******************************<WBR>****************************</font></div><div><br></div>