Re: [keycloak-user] Mapping Claims from Identity providers

Hi Thomas, This actually depends on the mapper you are using. For example the OIDC ClaimToRoleMapper does update the user when he logs in (see https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11...) others don't do that (e.g. https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11...). In the second case, I assume this might be a bug. The SAML AttributeToRoleMapper you are probably using should actually update the user on login, see https://github.com/keycloak/keycloak/blob/3fbfc6c7e61c2cf7cdc75fa8d75ca11.... Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Open Source Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; Im Auftrag von Konsulent Thomas Isaksen (TNO) Gesendet: Dienstag, 3. September 2019 13:59 An: keycloak-user(a)lists.jboss.org Betreff: [keycloak-user] Mapping Claims from Identity providers I have configured Azure as my identity provider and I am assigning roles to my users in Keycloak based on claims I get from Azure. Once I have defined one or more Role Mappers and sign in with my Keycloak user for the first time the mapping is done and working as expected, however, once I create additional mappings the roles of the user are no longer updated. The only way to get an updated mapping is to delete my Keycloack user and sign in again. I tried to look it up in the documentation: Mapping Claims and Assertions https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/map... .. "Each new user that logs into your realm via an external identity provider will have an entry for it created in the local Keycloak database. The act of importing metadata from the SAML or OIDC assertions and claims will create this data with the local realm database." ... Does this mean that I cannot expect new claim mappings to apply to existing users? Is there any way to do this ? ( I did send this message in April but it never showed up in the mailing list) -- Thomas Isaksen _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user