We are running a Keycloak 9.0.2 instance (one of many) along with an oidc IDP configured to help facilitate Single Sign On with AzureAD Groups.
The layout usually involves: A Realm → an IDP → an AzureAD Group → IDP RoleMapper → Application Role.
In almost all of our deployments, users are auto-created and user role configurations are automatically applied on their first login. We are also usually able to add additional roles to the user’s role mappings and those additional role mappings aren’t overwritten by the IDP login process unless we delete their user account.
However, on this particular instance, every time a user logs in, their role mappings are reset to only the role mapping that was provided during the first login.
i.e.
Sinet logs in and is auto-assign ROLE_A.
Sangitha assigns ROLE_B to Sinet’s user account manually.
Sinet logs in and ROLE_B mapping is automatically removed.
We don’t mind this feature but we would like to understand how/why it is happening as we didn’t see any options to turn this functionality on/off.
Thanks for your time and attention.