3:48 a.m.
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev