Dear all,

I’ve a question regarding the User Storage Federation (https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation.html) with respect of LDAP as external user database and the available mappers.

Current situation:

Right now I’m able to map roles assigned to users and defined in LDAP to Keycloak with the existing Role Mapper. e.g. Administrator/User role for a specific application

The JWT output contains then a section like this:

"resource_access": {

"myApp": {

"roles": [

"Administrator"

]

}

Desired solution:

Is it out of the box possible to use the existing Role Mapper as described in chapter https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation/ldap.html to map composite roles defined in Keycloak to LDAP?

The thing is I want in the end to define composite roles in LDAP to collect finer user rights for certain “container” roles - like Users, Editors, Administrator – and map them to Keycloak and respectively the finer grained rights to provide the granted user rights in the JWT.

e.g.

Rights/Roles:

read page
edit page
delete page
create page

Composite Roles:

User = {read page}
Editor = {read page, create page, edit page}
Administrator = {read page, delete page}

The final result in the JWT should then contain a section something like where the composite role is automatically resolved with the more specific single rights:

"resource_access": {

"myApp": {

"roles": [

"read page",

"delete page"

]

}

Or is Keycloak designed in that way that the finer rights can be stored in LDAP but the composition is afterwards done in Keycloak?

Thanks,

Christian