[keycloak-user] How to disable user roles updates with subsequent idp logins?

Корчемкин Дмитрий moon3854 at yandex.ru
Tue Jun 20 12:48:54 EDT 2017


Ldap provider on User Federation tab is not being used at all. We do not propagate changes made to AD users on keycloak back to AD, they come from different domain and roles configured on keycloak do not even exist there.
>From you questions i assume that Keycloak does indeed re-write user data on each login through a broker?

20.06.2017, 16:31, "Bill Burke" <bburke at redhat.com>:
> How are you using our ldap adapter? is "Import Enabled" true or false?
> If it is false then Keycloak will not store role mappings if there are
> no ldap mapping for it.
>
> On 6/20/17 8:18 AM, Корчемкин Дмитрий wrote:
>>  Hello,
>>
>>  I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed.
>>
>>  I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way?
>>
>>  Best regards,
>>  Dmitry
>>  _______________________________________________
>>  keycloak-user mailing list
>>  keycloak-user at lists.jboss.org
>>  https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list