Hello,
We are using LDAP as user federation back-end and we used SAML javascript in couple of client scope mappers, now that the javascrpting is gone, what are our options to achieve something like, having a User attribute that the results will be something like DB/LDAP User attribute + Another DB/LDAP Userattribite “or static string” ? for example username-LDAProle , where username is UserModel.attribute map and LDAProle is an actual string
Thanks in advance!
You can still have SAML Javascript mappers. They have to be packaged in a jar file and stored on the server’s filesystem.
https://www.keycloak.org/docs/latest/server_development/index.html#_script_providers
Thanks @mbonn but in general is there another way to be able to build custom values from one or more user attributes without javascripts?
You can write a mapper in Java and integrate it in Keycloak, of course. Seems to be overkill in your simple case.
A “click and/or configure” solution is not available (How should such a solution look like, if it is not possible to program it freely?).
fair enough, I will look into the script providers then. thanks again!
One more question, so I got scripts feature loaded, crated the jar file and everything seems okay, created the mappers, so far so good, but got the error below
Error during execution of ProtocolMapper script: org.keycloak.scripting.ScriptExecutionException: Could not execute script 'attribute-mapper-script_eduPersonEntitlement' problem was: TypeError: user.getAttribute is not a function in <eval> at line number 5
the script is as follows,
var JTHashSet = Java.type('java.util.HashSet');
var roles = new JTHashSet();
var userNameFromLDAP = user.getAttribute("username");
var eduPersonPrincipalName = userNameFromLDAP[0].toString()+"@staff";
print("eduPersonPrincipalName", eduPersonPrincipalName);
eduPersonPrincipalName;
are we missing some sort of import?
Have you tried it like this syntax?
var userNameFromLDAP = user.attributes.username;
I know, this does not match the JavaDoc Class Documentytion for User entities but in my case, it works…
I did change the syntax to
user.username
and this one works
but I thought that user.getAttribute("username") should work fine, it just I do have more than one SAML script need to work out, would this user.attributes.SOMETHING works with non built in attributes? like eduPersonEntitlement which is fetched from LDAP for example?
For the generic non-built-in attributes, I typically use user.attributes.SOMETHING in scripts and .ftl templates but user.attributes.Get(“SOMETHING”) should also work in scripts.
https://www.keycloak.org/docs-api/20.0.1/javadocs/org/keycloak/models/UserModel.html
And before accessing a generic attribute I always check
if (user.attributes.SOMETHING !== undefined
&& user.attributes.SOMETHING !== null
&& user.attributes.SOMETHING.length > 0) {
//...
}
Thanks @mbonn , did that earlier today and worked and moving to the next problem with client interface 
I think I am getting there, it just way overkill for such simple tasks , wish it was click and configure