1 Reply Latest reply on Jan 28, 2019 8:55 AM by cbevin

    Is there a way for Keycloak, acting as a SAML IDP broker, to pass all roles through to the client without setting up mappers?


      We've recently moved from Picketlink to Keycloak, and we want to use Keycloak as a SAML broker to a third party IDP. Our third party IDP passes through User Groups as Role attributes and we want these to come through to the client.

      We don't however know all the groups up-front, so we simply want them to come through to the client without Keycloak filtering them out.

      Keycloak it appears only passes them through to the client if you have mappers in place, which requires knowing in advance the third party IDP groups, and being told when new groups are created.

      Is there a way of configuring Keycloak to pass through all Role attributes to the client and not just the ones I've explicitly mapped? I just want everything sent by the IDP to get through to the client. I thought the "Full Scope Allowed" setting for the client was the answer, but it appears not.