KeyCloak LDAP Role mapper with AD groups

Question

I have a KeyCloak LDAP federation question.

Using LDAP Federation I am trying to map specific AD groups to one specific KeyCloak role.

Example

Fido belongs to the AD Group "Dogs"

(LDAP:memberOf:cn=dogs,cn=users,dc=test,dc=com)

Fluffy belongs to the AD Group "Cats"

(LDAP:memberOf:cn=cats,cn=users,dc=test,dc=com)

I can get LDAP Federation to create the "cats" and "dogs" roles but what I really want to do in keycloak is have a role called "animals" that both fluffy and fido are assigned to.

Is this possible using the role-ldap-mapper? Is there another way to do this?

Answer 1

Is this possible using the role-ldap-mapper? Is there another way to do this?

First you need to map those groups "cats" and "dogs" from LDAP into roles in Keycloak, for that you can use the role-ldap-mapper Mapper. During the creation of those Mappers, after saving click on "Sync LDAP Roles to Keycloak".

After you have successfully import those roles into keycloak for each of the imported roles (i.e., cat and dog):

• Go to Roles;
• Click on the role in question;
• Switch "Composite Roles" to ON
• Select the role Animals (I am assuming that you have already created that role in Keycloak, otherwise do so);
• Click on "Add selected"

Next time a user with the role Cats or Dogs from LDAP authenticates with Keycloak, the role Animals will show up in the token as well.