I am trying identity Brokering with Keycloak. There are very course grained claims coming from the Identity provider. Now I want to map value from one of the claims to a role group in Keycloak. Is there a way to achieve this?
Thank you
Alright, for that purpose you need to use the Admin CLI, more specifically the Group Operations, which needs some custom scripting to get it automated in this case. Check out the Docs linked above and see how you can set ut up. That will be something like this:
!#/bin/bash
...
# init stuff for kc-admin.sh
...
# assuming you've given the claim form IdP as 1st param to this script
claim="$1"
# use jq¹ to filter someClaim from JSON
role=${echo $claim | jq -r '.someClaim'}
username=${echo $claim | jq -r '.sub'}
# find out the user and group ids (not sure if this works, but there's possibilities²!)
user_id=${kcadm.sh get users -r yourrealm -q username=$username}
group_id=${kcadm.sh get groups -r yourrealm}
kcadm.sh update users/$user_id/groups/$group_id -r yourrealm -s realm=yourrealm -s userId=$user-id -s groupId=$group_id -n