[keycloak-user] Is there any way to map thousands of id from IDP to several roles in brokering
Bill Burke
bburke at redhat.com
Thu Dec 10 09:13:01 EST 2015
So, you are using brokering correct? This is completely undocumented,
but you can write your own broker mapper that is invoked when the user
is imported.
Here's some examples:
https://github.com/keycloak/keycloak/tree/master/broker/saml/src/main/java/org/keycloak/broker/saml/mappers
https://github.com/keycloak/keycloak/blob/master/broker/saml/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderMapper
On 12/10/2015 4:30 AM, Mai Zi wrote:
> Hi, there ,
>
> Let me try to describe the case first.
>
> We are using SAML 2.0 ID broker to authenticate the users.
> From the returned assertions, we can only get the user's ID number.
> So far as we know ,there will be thousands of users . In ID provider system,
> there is no role concept ,so not possible to return us the Role claim.
>
> Now we want to assign roles to those users in keycloak . We made a rule .
> For example, if the ID number is less than 100, we assign Role A to this
> user.
> If ID number is between 101 and 1000, we assign Role B to it , and so on.
>
> Of course We can do this manually one by one in admin console. but for
> thousands of
> users, it doesn't make much sense.
>
> We notice there is a Mapper button when configuring the ID provider, is
> there any way
> to achieve our goal with that mechanism?
>
>
> Thanks a lot.
>
> Mai
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list