Re: [keycloak-user] User roles deleted after SSO idle session expires

Hi, I'm using Azure Active Directory to authenticate users and I have setup custom mappers to import roles (mapping groups from Active Directory to Keycloak roles). I'm pretty sure the scenario was not working before. There was a lot of development on the front-end application so we didn't notice the problem until we started using it. When the problem occurs for a user, he's still logged in to the application but all the features are disabled because he has no role (The assigned roles section in keycloak is empty). The logs I sent yesterday mention: DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-1) Token will not be stored for identity provider [microsoft] which is logged in the method IdentityBrokerService.authenticated(BrokeredIdentityContext context) Going through that method, I found this piece of code: Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); if (mappers != null) { KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (IdentityProviderMapperModel mapper : mappers) { IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); target.preprocessFederatedIdentity(session, realmModel, mapper, context); } } That's why I suspect that the mappers are not triggered. Thanks! On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: