1

I am trying identity Brokering with Keycloak. There are very course grained claims coming from the Identity provider. Now I want to map value from one of the claims to a role group in Keycloak. Is there a way to achieve this?

Thank you

RMNull
  • 149
  • 3
  • 12
  • What do you mean by "map [value of] a claim"? Could you describe with an example? – roxch Sep 15 '20 at 16:19
  • @roxch Say there are claims coming from Identity Provider ```{ "ver": 1, "jti": "AT.bfekt0S96atew6s-xxxx", "iss": "https://abc.xyz.com/oauth2/default", "aud": "api://default", "iat": 1600681570, "exp": 1600685170, "cid": "0oawtxxmtyxxxxx", "uid": "00uynldf5fxxxxxx", "scp": [ "openid" ], "sub": "designer@xyz.com", "someClaim": "designer", "claimsByGroup": [ "Everyone", "developers" ] }``` and I want to assign the user a Role Group in Keycloak Token for *someClaim* coming from Identity Provider. – RMNull Sep 21 '20 at 12:46
  • It's still ambiguous! you want to add a user to a group in KC Administration consuming the data from someClaim? Or the user is already in the group and you want to add group information to the token above (for further use/validation)? – roxch Sep 28 '20 at 09:14
  • you want to add a user to a group in KC Administration consuming the data from someClaim? Yes. – RMNull Oct 01 '20 at 09:14

1 Answers1

1

Alright, for that purpose you need to use the Admin CLI, more specifically the Group Operations, which needs some custom scripting to get it automated in this case. Check out the Docs linked above and see how you can set ut up. That will be something like this:

!#/bin/bash
...
# init stuff for kc-admin.sh 
...
# assuming you've given the claim form IdP as 1st param to this script
claim="$1"


# use jq¹ to filter someClaim from JSON
role=${echo $claim | jq -r '.someClaim'}
username=${echo $claim | jq -r '.sub'}

# find out the user and group ids (not sure if this works, but there's possibilities²!)
user_id=${kcadm.sh get users -r yourrealm -q username=$username}
group_id=${kcadm.sh get groups -r yourrealm}

kcadm.sh update users/$user_id/groups/$group_id -r yourrealm -s realm=yourrealm -s userId=$user-id -s groupId=$group_id -n
  1. jq
  2. List Users
roxch
  • 351
  • 3
  • 16