Saml Attribute to Role Mapper problem

Getting advice
1

Hi All,

We are using Keycloak version 7.0.1 as identity broker for authenticating our APP GUIs with Azure AD. For this we have added APP GUIs (six GUIs) as OIDC clients and Azure AD as SAML2.0 identity provider. We have also defined idp mappers of type “Saml Attribute to Role Mapper” for mapping Azure returned app roles to GUI clients role. The client and the role mapper config is as follows:

  1. We have configured six GUI clients DQI, PLF, BSF, USDP, IAM and NAP GUIs and their roles (2 roles per GUI) e.g. for DQI gui (DQI_READ_ONLY and DQI_ADMIN_EDIT).
  2. 18 idp mappers config for client roles
    => 6 read only mappers (dqi-reader, plf-reader etc. Azure roles) mapped with _READ_ONLY roles
    => 6 write only mappers (dqi-writer, plf-writer etc. Azure roles) mapped with _ADMIN_EDIT roles
    => 6 mappers for superuser (gui-superuser role) mapped with _ADMIN_EDIT roles

app-superuser-role-mapper

PROBLEM:
The problem we are facing is when user already exists in Keycloak DB (using Maria db) then some of the role mappers dont work, e.g.
If user had “gui-superuser role” role in Azure →
Expected behavior: User should have got all six clients ADMIN_EDIT roles
Actual outcome: User only gets three clients ADMIN_EDIT roles, e.g. PLF, USDP and IAM role mappings dont work.

Kindly note, if user doesn’t exists, and user is getting logged in first time, then role mappings works fine, but from next time onwards it doesn’t work and the behavior remains same (I mean the same set of role mappings don’t work, may be because the roles retrieval from DB is same always).

For troubleshooting this problem, we limited our use case to simple set of role mappings, e.g. defined only six role mappers for gui-superuser Azure role, and we found that the role mapping worked fine in that case.

So, we doubt that the problem is happening because we are defining many sets of role mapping (read/writer/superuser), and because of that we are seeing issues with role mappings.

We also tried to check Keycloak DEBUG logs, but couldn’t find any useful information about the role mapping issue. Actually there were no error logs about role mappings which failed etc.

Kindly help us with following:

  1. If our use case is ok to define three sets of role mappers (reader/writer/superuser) for the GUI clients and Keycloak should support it out of the box?
  2. Is our role mapper definition correct? or if we are missing something?
  3. Kindly help us in narrowing down the problem, as we badly need to fix this issue urgently.

Appreciate any help.

Thanks
Deepak