I want to map two LDAP attributes to a single user attribute. As a starting point I would use UserAttributeLDAPStorageMapper. But this class is spefically for mapping exactly one LDAP attribute to one user attribute.
I only need this mapping as read-only transformation from LDAP to user attribute. I don’t need any updates of the LDAP attributes.
Am I correct in assuming that I only need the methods onImportUserFromLDAP() and beforeLDAPQuery(). I think I should throw an exception in method onRegisterUserToLDAP(), right? But what about the method proxy()? I want to always read from LDAP so I need to remove all code for writing and only leave the code for isAlwaysReadValueFromLDAP, correct?
a) Maybe might be easier with a custom EventListener (to be tested, do not know performances…):
- you can catch update events : UPDATE_PROFILE ?
- and use user.setSingleAttribute(…)
b) Or user a virtual claim : keycloak-extension-playground/SimpleOidcMapper.java at master · thomasdarimont/keycloak-extension-playground · GitHub
Hi, I do not understand how an EventListener would access LDAP attributes on user logins nor how a virtual claim would help in this situation.
Idea 1) Once LDAP attributes are imported into your realm as user attributes, any change to any of these user attributes should be caught by your listener (based on the event you decide to manage, for ex EventType.UPDATE_PROFILE) which can then get access to the user (to whom the event is related to) in order to read user.attr1 and user.attr2 and write user.attr1+user.attr2
Ex on how to get access to the user related to an event and then create/update one attribute:
BTW : performances of this approach have to be checked… and I am not sure the event UPDATE_PROFILE is triggered when attributes are updated form LDAP… to be tested
Idea 2) Once LDAP attributes are imported into your realm as user attributes you can use these users attributes to generate virtual claims, for ex a virtual claim which could be user.attr1+user.attr2
As far as I understand for Idea 1 and 2 I also need to configure attribute mappers to import the values from LDAP, correct?
Yes correct
If your LDAP is an AD then some mappers are automatically added :
But you can also add some additional ones:
Simple suggestion, not sure it fits the bill: just use a mapper.
use type ScriptMapper, and put code like this:
exports = user.getSomething() + user.getSomethingElse()
I don’t know the specifics, you’d have to work out the exact code of course. (above is a string concat)
Beware of some known mapping issues, though
- [KEYCLOAK-19418] OIDC Identity Provider Claim to Role only looks at User Info - Red Hat Issue Tracker
- [KEYCLOAK-17793] Attribute mapping not done at first broker login during idtoken/jwt exchange - Red Hat Issue Tracker
(maybe others, these are the ones that I’m aware of)