1 Reply Latest reply on Jan 28, 2019 8:55 AM by cbevin

Is there a way for Keycloak, acting as a SAML IDP broker, to pass all roles through to the client without setting up mappers?

cbevin Jan 18, 2019 4:51 AM

We've recently moved from Picketlink to Keycloak, and we want to use Keycloak as a SAML broker to a third party IDP. Our third party IDP passes through User Groups as Role attributes and we want these to come through to the client.

We don't however know all the groups up-front, so we simply want them to come through to the client without Keycloak filtering them out.

Keycloak it appears only passes them through to the client if you have mappers in place, which requires knowing in advance the third party IDP groups, and being told when new groups are created.

Is there a way of configuring Keycloak to pass through all Role attributes to the client and not just the ones I've explicitly mapped? I just want everything sent by the IDP to get through to the client. I thought the "Full Scope Allowed" setting for the client was the answer, but it appears not.

1. Re: Is there a way for Keycloak, acting as a SAML IDP broker, to pass all roles through to the client without setting up mappers?

cbevin Jan 28, 2019 8:55 AM (in response to cbevin)

What I ended up doing was creating my own IdentityProviderMapper similar to the one within Keycloak :
(https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java)
I then provided my own logic to pass through all roles from the IDP, creating them if they didn't exist, and granting/revoking them from the user based on the content within the SAML assertion.
Actions