Replacement for JS SAML mapper - need to pass 'admin-[username]' as group attribute

I’m finally upgrading my Keycloak system from v17 to v20, and I discovered that the JS SAML mapper has been removed. I used to use it to pass a SAML attribute named groups that was simply admin-[username]:

var stringArray = java.lang.reflect.Array.newInstance(java.lang.String.class, 2);

var username = user.getUsername();
stringArray[0] = 'admin';
stringArray[1] = 'admin-' + username;

Is there a way to do this without writing a custom provider? I’m capable of doing that, but I’d rather use a native method if available.


Well, it’s not my best work (my Java is very rusty), but this does the trick:

With this, you can combine any text with user properties (email, federationLink, firstName, id, lastName, serviceAccountClientLink, or username) and/or custom user attributes. Properties or attributes must be surrounded with backticks (`). To escape a backtick, use a backslash (). For example:

  • username and lastName will be replaced with the user properties username and lastName, respectively.
  • The backticks around lastName will be escaped and left in place.
  • customAttribName will be replaced with the user attribute of the same name, but if this attribute does not exist, the text customAttribName will be left in place.
  • All other text will appear as text.

Honestly, this provider could replace the saml-hardcode-attribute-mapper, saml-user-property-mapper, and saml-user-attribute-mapper providers. Mine allows mappers to be created with all three mapper sources on their own or as a dynamic combination of all sources.