Map roles one-to-one from OpenID identity provider

[Dmitri Zamysloff]

Hi, we using Keycloak 22. In realm we added openid connect identity provider (Azure AD). We would like first to map attributes like first name, second name, email. At second we want to map roles as if the role with the same name exists in Keycloak realm it shall be added. Is it possible to do these with out-of-box Keycloak functionality?

Apart from this we have also need to synchronize some roles (with some prefix) from realm to Azure AD using SCIM. I checked available plugins CaptainGoldfish and on german domain. They will not work for us. Is there any other possible solution?

[Dmitri Zamysloff]

I found out, that if I connect Azure AD as OIDC identity provider, then by first login Keycloak creates a twin user in its own DB and links that user to user in Azure AD. The problem we have now is that there some realm roles defined in Keycloak, same are defined in Azure, with same names. These roles comes also with Azure token over. What do I need to do that Keycloak would also add the roles which match to the twin user?

[Paul Robert Marino]

This may be outdated but if i remember correctly in the oidc provider you can add a mapper to sync them and it has an option to force a sync on login every time.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2b4d9edb-5d3a-417d-a8df-b0fd859c5701n%40googlegroups.com.

[Dmitri Zamysloff]

That what I am looking for. Basically, I am looking for functionality, which would check the roles of incoming token and if realm roles with same name exist the tween user will get that realm roles. In Keycloak 22 for OIDC identity providers I have only folllowing mappers:

- Advanced Claim To Group
- Advanced Claim To Role
- Attribute Importer
- Claim to Role
- Hardcoded Attribute
- Hardcoded Role
- Hardcoded User Session Attribute
- Username Template Importer

but non of them do the job.

[Dmitri Zamysloff]

I have written plugin for mapping of the roles. For testing I connected one keycloak with another one using identity provider OIDC and switched on my plugin. As I am developing right now I have very extended log. 

My plugin derives from org.keycloak.broker.provider.AbstractIdentityProviderMapper. In importNewUser and updateBrockeredUser I am retrieving token using BrokeredIdentityContext#getContextData()#get("VALIDATED_ID_TOKEN"). In my code I am printing in log the token. And I found out that in that token there is no roles. So in the keycloak, which is an identity provider for tested keycloak, user has roles and if I use that keycloak directly with webpage, then realm_access.roles information is present in token for that user. But if I use that keycloak as OIDC identity provider I have no information in token about roles. What I am doing wrong? How can I get this information in token? And generally is roles claim a part of OIDC and I can assume that for example Azure will send me somehow token if I want to have Azure in Keycloak as OIDC identity provider? Otherwise I need some other mechanism which would assign roles to Users which got imported into realm from identity provider. Please help!

[Arin Kumar]

Hi Folks,

I recently faced an issue while trying to map custom roles from an Identity Provider (Azure AD) to Keycloak for SSO authentication. After much effort, I finally found a solution and was able to successfully map roles. Below are the steps to achieve this:

1. Create an Application in Azure AD

   • Ensure that your application is configured to communicate with Keycloak.

2. Test SSO Login

   • Try logging in with a user created in Azure AD using SSO in Keycloak to verify that authentication works.

3. Create and Assign Roles in Azure AD

   • Navigate to Azure AD > Your Application > App roles and create a role (e.g., Custom-Admin) with the same value as its name.
   • Assign this role to a user in Azure AD.

4. Create a Corresponding Role in Keycloak

   • In Keycloak, go to Your Realm > Roles and create a role (e.g., Custom-Admin-Keycloak).

5. Configure Role Mapping in Keycloak

   • Navigate to Identity Provider (IDP) Configurations > Mappers and create a new mapper named Role Mapper with the following configurations:
     • Sync Mode Override: Import
     • Mapper Type: Advanced Claim to Roles
     • Claims:
       • Key: roles
       • Value: Custom-Admin
     • Regex Claim Values: Off
     • Role: Select the Keycloak realm role (Custom-Admin-Keycloak) from the dropdown.

6. Test Role Mapping

   • Save the mapper and log in again with the user to whom the role was assigned in Azure AD.

7. Verify Role Mapping in Keycloak

   • In Keycloak, navigate to User Section > Select the User > Role Mapping to confirm that the assigned role has been successfully mapped.

This setup ensures a one-to-one mapping of roles from Azure AD to Keycloak. Hope this helps!

Best regards,

Arin Kumar