[keycloak-dev] Identity Provider Claim to Role Mapper new features

Mon Sep 16 04:48:51 EDT 2019

Thanks,

The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.

For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?

On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:

> Hi,
>
>
>
> sure, I have the following scenarios in mind:
>
>
>
> 1.)    Regex: If a user logs in with the identity provider the
> organization of the user with a specific hierarchal pattern is sent, e. g.
> "organization": "INST_CSS_BSV_OS2". If a user is in an organization that
> starts with "INST_CSS" he should get the role "inst_css_user". With a
> regular expression as claim value you could map the claim "organization"
> with regex "INST_CSS.*" to the role "inst_css_user". Without regular
> expressions you need to specify every organization individually.
>
> 2.)    Multiple Claims: If a user logs in with the identity provider the
> organization and a country for a user is sent. If a user comes from the
> "United States" and is in a "CSS" organization I would like to assign the
> role "css_us_user". This would be possible if multiple claims are supported
> in the claim to role mapper.
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Freitag, 13. September 2019 11:02
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Could you provide some use-cases/examples please?
>
>
>
> On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
> I would like to contribute features to the Identity Provider Claim to Role
> Mapper.
>
>
> 1.)    Regex support for claim values: My suggestion for this feature is
> to introduce a new checkbox in the Claim to Role Mapper to turn regex
> support for claim value on or off. By default the regex box is unchecked,
> so currently existing mappers won't change.
>
> 2.)    Support for multiple claims: Instead of providing one claim and one
> claim value the idea is to provide a map of claim -> claim value. The role
> will be assigned when all provided claims match the token. Is it okay to
> change the existing Claim to Role Mapper for this feature or should I
> rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
>
> What are your thought on that? Do these two features have a chance to be
> contributed?
>
> Best regards
>
> Benjamin Weimer
> INST-CSS/BSV-OS2
>
> Tel. +49 30 726112-0
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>