Hi!
We store the hierarchical structure of offices in LDAP. Each office has a list (ou) of roles. Each role is a ‘groupOfNames’, in which the DN of users are recorded in the attributes of the ‘member’. Something like this:
dn: cn=admin,ou=roles,o=office1,ou=offices,dc=example,dc=com
objectClass: groupOfNames
member: uid=user1,ou=users,dc=example,dc=com
member: uid=user2,ou=users,dc=example,dc=com
member: uid=user3,ou=users,dc=example,dc=com
‘Edit mode’ is set to ‘READ_ONLY’. User import from LDAP and all types of sync is disabled. So Keycloak doesn’t store any user information.
And we are using CIBA to get access token (http://keycloak_idp/realms/master/protocol/openid-connect/ext/ciba/auth).
To get the access token, we need to somehow pass the organization to Keycloak for mapping the user roles that he has in LDAP for this organization.
The obvious idea is to create a client in Keycloak for each of our organizations in LDAP. And then use the corresponding clientId to get a token with the necessary roles.
I started writing a custom role mapper from LDAP (extending AbstractLDAPStorageMapper), but as it turned out, there is no way to get the clientId from the token request.
I will be grateful for any suggestion. Thanks.