Automatically add and remove roles in Keycloak based on SAML attributes

Question

I have a SAML IdP set up in Keycloak and it is working fine. We get an attribute from SAML called “Groups” which is a list of group IDs. So I set up some mappers of type “Advanced Attribute to Role”. I mapped GroupA to RoleA, GroupB to RoleB, etc. This works fine at first. If a user’s "Groups" attribute contains "GroupA", then that user is correctly assigned RoleA.

The problem is when a user is re-assigned from GroupA to GroupB. Now when that user logs on, he is correctly assigned RoleB, but he retains RoleA from before. If a user simply loses GroupA, that user retains RoleA.

I want a user to have those roles and ONLY those roles that are mapped in based on his current Groups attribute. And if a user loses a group attribute value, then he should lose the corresponding role.

How can I fix this situation? Can this be done using SAML attribute mappers? What’s the proper way to do this?

Answer 1

To overwrite the role of a user set the sync mode overwrite of that mapper to force (hint: make sure that the role exists)

OR - if you want to overwrite all mapped attributes and roles, in the Settings of your IDP you can set the sync mode to force:

And in your mappers set sync mode overwrite to inherit

Then during every login of the user the attributes and roles mapped by IDP mappers are overwritten.

Hint: syncing the user on every login is of course more expensive than importing user once. So if you only want to overwrite single attributes or roles you should only force updating for that mappers.