Role mapping about scim-for-keycloak HOT 3 CLOSED

Hi, I guess you were trying to assign a role to a user by using the roles-attribute?
The roles-attribute is not meant to do this:
https://datatracker.ietf.org/doc/html/rfc7643#section-4.1.2

roles
      A list of roles for the user that collectively represent who the
      user is, e.g., "Student", "Faculty".  No vocabulary or syntax is
      specified, although it is expected that a role value is a String
      or label representing a collection of entitlements.  This value
      has no canonical types.

But it is basically possible to extend the plugin to be able to assign roles directly to groups or users but this would be some effort because it would either require a new endpoint to manage realm-roles or a custom-extension on the exsting SCIM resources User and Group to add those roles directly.

Any particular reason you need this feature?

from scim-for-keycloak.

Thanks for your response!

Our (my and my team's) idea was to assign a user to a role with SCIM request. We expected that Role property exists for that purpose but we found out that it does not. We opted out to using Groups instead.

By the way, can you please point out how we can extend the plugin? Or add a new endpoint?

from scim-for-keycloak.

What exactly is your plan? I can think of several solutions.

1. using the members attribute to assign roles to a group requires also the definition of a custom-endpoint for roles.
2. a custom-attribute definition named kcRealmRoles could be used to assign roles by either name or id.

Which extension do you mean?
The Open Source plugin has reached end of life with keycloak 21. For this purpose the plugin was completely rebuild to be usable with keycloak 21+. https://scim-for-keycloak.de
The enterprise version is not open source though. But I could add an extension for this purpose in a future version.

from scim-for-keycloak.