[keycloak-user] Hardcoded role mappers in user federation provider - roles not applied

Marek Posolda mposolda at redhat.com
Fri Nov 25 04:11:00 EST 2016

On 24/11/16 16:18, Edgar Vonk - Info.nl wrote:
> Hi all,
> We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.
> What we have is a User Federation provider that connects to MSAD/LDAP with:
> - a hardcoded role mapper that adds role X
> - a hardcoded role mapper that adds role Y
> - a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y
> My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?
> What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc.
> What I think is happening is:
> - the mappers are applied in random order in Keycloak (is this the case?)
Yes, it is. I was thinking about add priority, but didn't yet do it. 
Could you please create JIRA?

> - the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?
> cheers
> Edgar
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list