Re: [keycloak-user] retrieving group membership info from LDAP/AD

On 30/12/15 18:42, Mahantesh Prasad Katti wrote: The feature to get LDAP roles and map them to specific roles in Keycloak is available. We have LDAP Role Mapper (See documentation http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federa... and our ldap example for details). The thread "Apply group membership filter on ldap login" is more about restricting that some LDAP users are not able to login at all (For example, specify that just users, which are members of LDAP group "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the other users are filtered). This will be available from 1.8 release (it's in master already). Keycloak provides SSO and authentication. Once you authenticate, your application will receive access token with the roles of user from Keycloak (We have stuff like scope, protocol mappers etc, which allows better control under what exactly will go to access token. See docs and examples for details). Then it's up to the application how it interprets roles from accessToken . The authorization needs to be actually done by application itself (unless it's JEE application where we have mapping of accessToken roles to JEE roles. Again see examples). We have separate subproject under development (no official release yet available), which will allow more authorization possibilities. Marek