3:30 a.m.
Hi, there ,
Let me try to describe the case first.
We are using SAML 2.0 ID broker to authenticate the users. From the returned assertions,
we can only get the user's ID number. So far as we know ,there will be thousands of
users . In ID provider system,there is no role concept ,so not possible to return us the
Role claim.
Now we want to assign roles to those users in keycloak . We made a rule .For example, if
the ID number is less than 100, we assign Role A to this user.If ID number is between 101
and 1000, we assign Role B to it , and so on.
Of course We can do this manually one by one in admin console. but for thousands of users,
it doesn't make much sense.
We notice there is a Mapper button when configuring the ID provider, is there any wayto
achieve our goal with that mechanism?
Thanks a lot.
Mai
5:58 a.m.
You may need to write custom IdentityProviderMapper. See the docs for
how to implement custom SPI:
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
Also you can take a look at our provider examples.
Marek
On 10/12/15 10:30, Mai Zi wrote:
Hi, there ,
Let me try to describe the case first.
We are using SAML 2.0 ID broker to authenticate the users.
From the returned assertions, we can only get the user's ID number.
So far as we know ,there will be thousands of users . In ID provider
system,
there is no role concept ,so not possible to return us the Role claim.
Now we want to assign roles to those users in keycloak . We made a rule .
For example, if the ID number is less than 100, we assign Role A to
this user.
If ID number is between 101 and 1000, we assign Role B to it , and so on.
Of course We can do this manually one by one in admin console. but for
thousands of
users, it doesn't make much sense.
We notice there is a Mapper button when configuring the ID provider,
is there any way
to achieve our goal with that mechanism?
Thanks a lot.
Mai
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:13 a.m.
So, you are using brokering correct? This is completely undocumented,
but you can write your own broker mapper that is invoked when the user
is imported.
Here's some examples:
https://github.com/keycloak/keycloak/tree/master/broker/saml/src/main/jav...
https://github.com/keycloak/keycloak/blob/master/broker/saml/src/main/res...
On 12/10/2015 4:30 AM, Mai Zi wrote:
Hi, there ,
Let me try to describe the case first.
We are using SAML 2.0 ID broker to authenticate the users.
From the returned assertions, we can only get the user's ID number.
So far as we know ,there will be thousands of users . In ID provider system,
there is no role concept ,so not possible to return us the Role claim.
Now we want to assign roles to those users in keycloak . We made a rule .
For example, if the ID number is less than 100, we assign Role A to this
user.
If ID number is between 101 and 1000, we assign Role B to it , and so on.
Of course We can do this manually one by one in admin console. but for
thousands of
users, it doesn't make much sense.
We notice there is a Mapper button when configuring the ID provider, is
there any way
to achieve our goal with that mechanism?
Thanks a lot.
Mai
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3322
days inactive
3322
days old
2 comments
3 participants
participants (3)
-
Bill Burke -
Mai Zi -
Marek Posolda