[keycloak-dev] Identity Provider Claim to Role Mapper new features

EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) external.Benjamin.Weimer at bosch-si.com
Fri Sep 13 08:26:11 EDT 2019 

Hi,

sure, I have the following scenarios in mind:


1.)    Regex: If a user logs in with the identity provider the organization of the user with a specific hierarchal pattern is sent, e. g. "organization": "INST_CSS_BSV_OS2". If a user is in an organization that starts with "INST_CSS" he should get the role "inst_css_user". With a regular expression as claim value you could map the claim "organization" with regex "INST_CSS.*" to the role "inst_css_user". Without regular expressions you need to specify every organization individually.

2.)    Multiple Claims: If a user logs in with the identity provider the organization and a country for a user is sent. If a user comes from the "United States" and is in a "CSS" organization I would like to assign the role "css_us_user". This would be possible if multiple claims are supported in the claim to role mapper.

Mit freundlichen Grüßen / Best regards

Benjamin Weimer
INST-CSS/BSV-OS2

Tel. +49 30 726112-0

Von: Stian Thorgersen <sthorger at redhat.com>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com>
Cc: keycloak-dev at lists.jboss.org
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features

Could you provide some use-cases/examples please?

On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com<mailto:external.Benjamin.Weimer at bosch-si.com>> wrote:
Hi,

I would like to contribute features to the Identity Provider Claim to Role Mapper.


1.)    Regex support for claim values: My suggestion for this feature is to introduce a new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off. By default the regex box is unchecked, so currently existing mappers won't change.

2.)    Support for multiple claims: Instead of providing one claim and one claim value the idea is to provide a map of claim -> claim value. The role will be assigned when all provided claims match the token. Is it okay to change the existing Claim to Role Mapper for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?

What are your thought on that? Do these two features have a chance to be contributed?

Best regards

Benjamin Weimer
INST-CSS/BSV-OS2

Tel. +49 30 726112-0

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list