Keycloak user federation create groups


there is the following problem/scenario: I need to integrate users from a user database to keycloak via user federation.
I can add the user federation provider successfully and was querying the users via UserStorageProviderFactory.

My code is based on this example:

The class is implementing the following interfaces.

public class DemoUserStorageProvider implements UserStorageProvider, UserLookupProvider, UserQueryProvider, CredentialInputUpdater, CredentialInputValidator

public List<UserModel> searchForUser(Map<String, String> params, RealmModel realm, int firstResult,
		int maxResults) {
	TypedQuery<Nutzer> query = entityManager.createQuery("select n from Nutzer n", Nutzer.class);
	List<Nutzer> findAllUsers = query.getResultList();
	return -> new UserAdapter(session, realm, model, user))
Problem: I can return Users wrapped around an UserAdapter. But the users also have a usergroup which needs to be generated in advance.

My question is now, how can I also add usergroups automatically? Shouldn´t be there also kind of GroupStorageProvider? I don´t really find the entry point how to create groups automatically with keycloak startup.

Thank you for your help!



Have you found a solution yet? I’m facing the same issue.

Thanks for your help!


not really. For my use case I´m still creating roles, groups,… programmatically.

But I was getting following advice:
“The RealmModel holds all the Groups. The User Storage Provider mainly stores and loads realms. When you load a user, you would have to check their group membership, and you could then create groups to map them to.
This is called Augmenting External Storage. This link has examples for how to create the augmented storage provider. It allows creating groups, adding users to existing groups, roles, etc.”

Hope this will help you. :slight_smile:

Thanks, I simplified my implementation and am just using a special attribute, where I provide my specific roles in it. I don’t mess with the Keycloak roles and groups at all.
This works because I can then add this attribute to the Access Token and do the authorization in my application based on that.