Hi everyone,
First post here so please feel free to redirect as necessary.
Use case:
I operate Keycloak as an OIDC IAM with realm roles for our microservices and application roles for our front-end. This is all working; I can see and use the “realm_access” and “resource-access” within the JWT, no problems.
I am now trying to allow a third-party access to (some) of our services using Identity Broker(ing). I have setup a (test) Okta realm as an OIDC Identity Provider and can successfully get authenticated; the (foreign domain) user is setup in Keycloak with the relevant “Identity Provider Link”. Again, so far so good.
Problem:
I’m unclear what is best / correct approach to map (local) realm roles when using a foreign IdP (Okta). I can see that I can configure various mappers under “Identity Providers \ \ Mappers”, including a “Claim to Role” mapper which seems like the best fit.
I’m struggling to get this to this to work with Okta; am trying to use a “groups” scope; somewhat unsuccessfully. Note: this is not a reflection on Okta, I’m just not sure I have the correct approach.
Question(s):
- Is the “Claim to Role” mapper the best / correct approach to mapping third-party IdP ID tokens to local Realm roles
- Is there some better / alternative method that I should be using instead (perhaps using scopes from the IdP or similar)?
Thanks in advance
Paul