[keycloak-user] User Groups/Roles in an Identity Brokering scheme

[Andy Yar]

Hello,
I'm not sure how to approach following scheme of identity brokering
via OpenID Connect/OAuth2.

The idea is having a following scheme:
* Running a bunch of different applications build with RBAC in mind
having their own Keycloak instance
* Employing a hosted central Identity Provider (AWS Cognito, Auth0,
etc.) which manage keep the user base + user groups
* The application Keycloaks being configured to use the central IdP in
a federation.
* Each application Keycloak keeping a definition of application
specific roles and group -> role mappings

The auth flow would go like this:
* When accessing an app, user would be redirected to and authenticated
by the federated central IdP
* The central IdP would somehow (???, custom OAuth2 claims?) provide
list of user's groups
* Keycloak would map these groups to its local groups and transitively
to its roles
* The app would perform RBAC authorization based on the mapped roles.

So far I wouldn't manage to pass and map the IdP's groups to Keycloak's ones...

We want to simply keep and manage the user base + groups in a
centralized manner. But use application specific Keycloaks for the
role handling.

===============

Is this schema viable? Is there a better approach? Would a pure LDAP
solution fit better? Would a SAML-based approach provide benefits?

Thanks in advance