Changes in ldap federation

[Cédric Couralet]

Hello,

I recently upgraded from keycloak 9.0.3 to keycloak 12.0.4, and I have an error with a change in ldap federation.

I've got a saml identity provider configured to map Role attribute (from assertion) to the "roles-ag" attribute of the user.
Users come from an ldap federation configured as READ_ONLY and import (with no mapper for a roles-ag attribute)

Auth flows for broker is configured to link user with ldap user only.

In 9.0.3, this worked well, at login, the roles-ag attributes was created/updated on the user entry (in the DB) but not in the ldap.

In 12.0.4, I get an error with the following stack trace :

Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:512)
        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:559)
        at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:259)
        at org.keycloak.broker.saml.SAMLEndpoint.redirectBinding(SAMLEndpoint.java:163)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[...]

Caused by: org.keycloak.storage.ReadOnlyException: Federated storage is not writable
        at org.keycloak.storage.ldap.ReadonlyLDAPUserModelDelegate.setAttribute(ReadonlyLDAPUserModelDelegate.java:80)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.models.utils.UserModelDelegate.setAttribute(UserModelDelegate.java:75)
        at org.keycloak.broker.saml.mappers.UserAttributeMapper.updateBrokeredUser(UserAttributeMapper.java:203)
        at org.keycloak.broker.provider.AbstractIdentityProviderMapper.updateBrokeredUserLegacy(AbstractIdentityProviderMapper.java:68)
        at org.keycloak.broker.provider.IdentityProviderMapperSyncModeDelegate.delegateUpdateBrokeredUser(IdentityProviderMapperSyncModeDelegate.java:23)
        at org.keycloak.services.resources.IdentityBrokerService.lambda$updateFederatedIdentity$2(IdentityBrokerService.java:1026)

I think this came from this commit https://github.com/keycloak/keycloak/commit/bd48d7914d672d95f32ed17c11ea3f01ecf6d580#diff-b0700272388423a425032dd1f5b1b01d45fd38cec735990cddd3a2a56fc8bc36 which reintroduces ReadOnlyLdapUserModelDelegate with additional methods (setAttribute here) which were not implemented before.

Is there a way to get the old behaviour back without changing ldap configuration as WRITABLE on UNSYNCED?