10:45 a.m.
Hi,
If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User
Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be
synched to and from Keycloak at the moment?
I guess it should not be too hard to write an LDAP Group Attribute mapper should we want
to?
cheers
7:06 a.m.
This is actually supported. If you look at LDAP Group mapper, you can
see field "Mapped Group Attribues" . Here you can specify list of
attributes, which will be mapped from LDAP group to Keycloak group and
viceversa.
There is one limitation, that name of attribute needs to be same on both
places (ie. you can map LDAP attribute "description" to Keycloak
attribute "description" . But you can't map LDAP attribute
"description"
to Keycloak attribute "foo" ). Feel free to create JIRA if this is
limiting you. I've actually go simple way, but it can be improved if
there is additional demand.
Marek
On 02/02/16 17:45, Edgar Vonk - Info.nl wrote:
Hi,
If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a
User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be
synched to and from Keycloak at the moment?
I guess it should not be too hard to write an LDAP Group Attribute mapper should we want
to?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:55 a.m.
Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the moment.
Thanks.
On 03 Feb 2016, at 14:06, Marek Posolda <mposolda(a)redhat.com>
wrote:
This is actually supported. If you look at LDAP Group mapper, you can see field
"Mapped Group Attribues" . Here you can specify list of attributes, which will
be mapped from LDAP group to Keycloak group and viceversa.
There is one limitation, that name of attribute needs to be same on both places (ie. you
can map LDAP attribute "description" to Keycloak attribute
"description" . But you can't map LDAP attribute "description" to
Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you.
I've actually go simple way, but it can be improved if there is additional demand.
Marek
On 02/02/16 17:45, Edgar Vonk - Info.nl wrote:
> Hi,
>
> If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a
User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be
synched to and from Keycloak at the moment?
>
> I guess it should not be too hard to write an LDAP Group Attribute mapper should we
want to?
>
> cheers
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
8:36 a.m.
Hi Marek,
Somewhat related: we would like to have certain LDAP group attributes end up in the user’s
JWT tokens as well so that we can use this data in our client.
The Group Membership Mapper places the name of the (LDAP) group in the token but what
would we need to do to get group attributes in there as well? I guess we would then need
to extend the Group Membership Mapper and add a mapping of group attributes there?
Or for now I guess we could use the Keycloak REST API from our client to retrieve all the
group information for a user using the 'GET /admin/realms/{realm}/users/{id}/groups’
endpoint.
cheers
On 03 Feb 2016, at 14:55, Edgar Vonk - Info.nl <Edgar(a)info.nl>
wrote:
Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the moment.
Thanks.
> On 03 Feb 2016, at 14:06, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> This is actually supported. If you look at LDAP Group mapper, you can see field
"Mapped Group Attribues" . Here you can specify list of attributes, which will
be mapped from LDAP group to Keycloak group and viceversa.
>
> There is one limitation, that name of attribute needs to be same on both places (ie.
you can map LDAP attribute "description" to Keycloak attribute
"description" . But you can't map LDAP attribute "description" to
Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you.
I've actually go simple way, but it can be improved if there is additional demand.
>
> Marek
>
> On 02/02/16 17:45, Edgar Vonk - Info.nl wrote:
>> Hi,
>>
>> If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There
is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot
be synched to and from Keycloak at the moment?
>>
>> I guess it should not be too hard to write an LDAP Group Attribute mapper should
we want to?
>>
>> cheers
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:28 a.m.
You can do it with builtin Keycloak "User Attribute" protocol mapper. In
admin console under clients (or client template if you want to reuse
same mapper in more client applications), you can create this mapper.
If the mapped attribute is found on the user himself, it has precedence.
Otherwise Keycloak will try to search all groups, which user is member
of, and look for the attribute inside those groups (or respectively also
their parent groups).
So if you have both Group LDAP mapper and this UserAttribute protocol
mapper, you can map attributes of LDAP group to the JWT access token
issued to user.
Marek
On 03/02/16 15:36, Edgar Vonk - Info.nl wrote:
Hi Marek,
Somewhat related: we would like to have certain LDAP group attributes end up in the
user’s JWT tokens as well so that we can use this data in our client.
The Group Membership Mapper places the name of the (LDAP) group in the token but what
would we need to do to get group attributes in there as well? I guess we would then need
to extend the Group Membership Mapper and add a mapping of group attributes there?
Or for now I guess we could use the Keycloak REST API from our client to retrieve all the
group information for a user using the 'GET /admin/realms/{realm}/users/{id}/groups’
endpoint.
cheers
> On 03 Feb 2016, at 14:55, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
>
> Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the
moment. Thanks.
>
>> On 03 Feb 2016, at 14:06, Marek Posolda <mposolda(a)redhat.com> wrote:
>>
>> This is actually supported. If you look at LDAP Group mapper, you can see field
"Mapped Group Attribues" . Here you can specify list of attributes, which will
be mapped from LDAP group to Keycloak group and viceversa.
>>
>> There is one limitation, that name of attribute needs to be same on both places
(ie. you can map LDAP attribute "description" to Keycloak attribute
"description" . But you can't map LDAP attribute "description" to
Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you.
I've actually go simple way, but it can be improved if there is additional demand.
>>
>> Marek
>>
>> On 02/02/16 17:45, Edgar Vonk - Info.nl wrote:
>>> Hi,
>>>
>>> If I am correct there is no LDAP Group Attribute mapper in Keycloak right?
There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP
cannot be synched to and from Keycloak at the moment?
>>>
>>> I guess it should not be too hard to write an LDAP Group Attribute mapper
should we want to?
>>>
>>> cheers
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
3235
days inactive
3236
days old
4 comments
2 participants
participants (2)
-
Edgar Vonk - Info.nl -
Marek Posolda