Saml role mapping and create roles

Hello all,

we have Keycloak 18.0 in use and want to use it as a kind of translator. The setup in our scenario is the following:

Shibboleth IdP → Keycloak SP <-> Keycloak IdP → Application.

Via Shibboleth we send the well known attribute eduPersonEntitlement that contains various roles. These are already filtered by the IdP in advance, so that only a certain set of roles are sent to Keycloak. This works so far, but now I have the following challenge: We want to convert the attributes that follow a certain scheme into simple roles via RegEx.

Example: The string urn:mace:rwth.en:role:rero:3:rid=82be8363-7c4d-4e4a-aa52-a459a11b6ffe:name=Backup Admin:ikz=022000:orgid=ORG-42NHW should be converted to Backup Admin 022000 ORG-42NHW so that it remains human readable and can be used in the target application. In addition, the role should both be created in Keycloak if it doesn’t already exist and there should be an API call to the target application that checks if the role already exists there or needs to be created.

By reading the documentation I’m already to the point that I know I need a custom SPI mapper, however I have no idea where exactly to start. Any help is appreciated.

Greetings

Stephan