Re: [keycloak-user] basic saml attribute send question
You can set up "LDAP Filter" in the group-ldap-mapper configuration to
restrict the groups returned by this query:
"LDAP Filter adds additional custom filter to the whole query for
retrieve LDAP groups. Leave this empty if no additional filtering is
needed and you want to retrieve all groups from LDAP. Otherwise make
sure that filter starts with '(' and ends with ')'"
--Hynek
On Tue, May 23, 2017 at 12:33 PM, lists <lists(a)merit.unu.edu> wrote:
Hi,
Running keycloak 2.5.0 with AD federation provider. We configured the
group-ldap-mapper, this all works beautifully.
Created a simplesamlphp test page, and all AD groups memberships are
displayed in a list after a successful logon. Good start.
But now, to make this more secure and confidential, we would like to NOT
display ALL groups after login, but only send specific SAML attributes,
depending on group memberships.
So suppose a user is member of AD group1, group2 and group3. We would
like to make a config to sent attribute "group1", but keep the rest of
the groups hidden.
I'm sure this _very_ basic functionality... But can anyone give us some
pointers/keywords how to do this..?
Best regards,
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek