[keycloak-dev] Dynamic SAML roles to user mapper

Fri Jun 7 07:35:25 EDT 2019

Hi all,

For an external customer we need to bring together the SAML IDP of the customer
as leading system for user data with our services that are only supporting OIDC.
We think Keycloak could fit very well as some kind of mediator between the
customer's IDP and our OIDC-based services.

The services expect JWTs containing basic user data and also a list with all
the roles the user has. With the mappers available in Keycloak a JWT
can be constructed that contains the desired information. But now it can happen
that the roles model is extended in agreement between the IDP and the client
services. As we understand it, in order to support the newly added roles, they
would have to be added manually into Keycloak before they can be referenced by
the existing SAML Attribute to Role mapper.

This manual step we would like to avoid. In our ideal scenario, Keycloak would
just be an infrastructure component handling the SAML to OIDC conversion. With
respect to the roles assigned to users, it should be agnostic and simply
copy the information it receives from the SAML IDP verbatim.

To achieve this we think about implementing a custom mapper that allows dealing
with roles in this way. It would read the roles from a configurable attribute
of the SAML response and assign them to the user affected in the Keycloak data
model. If a role was encountered that did not exist yet, it would be newly
created. That way the roles model used by Keycloak would adapt itself
dynamically to the model used by the parties involved, and no manual updates
would be required.

Do you think there is an easier solution for this problem than writing a custom
mapper?

If the answer is no, would you be interested in such a mapper implementation?
We would be happy to contribute it. In our opinion this feature would strengthen
the brokering facilities of Keycloak.

Thank you and kind regards

Oliver Heger

(INST-IOT/ESB)
Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 711 811-58473 | Fax +49 711 811-58200 | oliver.heger at bosch-si.com<mailto:oliver.heger at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic