Filter groups in Keycloak 20.0.1

Hi, I am trying to configure a Group Membership Token mapper in Keycloak 20.0.1.

I have a client (appX) with a client scope that has a group mapper. I have a user (userA) who is a member of the groups group-appX, group-appX-admin, group-appY and group-appY-user. When I log in with userA in appX, I can see in the token that he belongs to all 4 groups. I would like to be able to filter the groups that appear on the token so that if userA logs into appX it only shows on the token that he belongs to the groups group-appX and group-appX-admin, and if he logs into appY it only shows that he belongs to the groups group-appY and group-appY-user.

Any idea how to do this in keycloak 20.0.0 or higher?

Thank you very much and best regards.

1 Like

@zetmanir , Hello, you already had solve your question?

@zetmanir jfyi

1 Like

Hi. I have the same question and would like to know if it’s possible to filter group attribute in the jwt/saml assertion natively in the latest keycloak version without external plugin?

Currently I retreive users groups from the ldap and map them in a ldap-group-mapper but I can’t filter them in the assertion for each client. It’s a security problem for me to forward to all clients the list of all groups my users are member of.

I’ve wrapped my head around this obstacle the last days and found a usable workaround.
If you create client roles which are repesenting your desired roles (like App1_Servicedesk, App1_Secondlevel, App1_Lastlevel etc.) you can map your existing groups (eg. imported from ldap) to these roles (groups → select desired rule → edit → Role Mappings → Client roles (select your client) → select Client role, which you want to map to the group). If you now use a role-mapper instead of an group-mapper inside the client you only transfer these roles instead of all applicable (ldap-)groups. Tested and verified with Meraki Dashboard.

Hope this helps :slight_smile:

1 Like

@Timmbuktw0 I remembered doing this once also. Seems the right way to go.

Hi. I didn’t manage to set up the correct configuration. Can you detail the process?

I have followed your instructions but no role is sent in the XML assertion. What kind of mapper do you use in the client configuration?

I have my (ldap) groups. I’ve created a role in the client > Roles tab.
Then in group, I have mapped the group with the client role previously created.

But I don’t understand the last step to forward this role to the client XML assertion.