javascriptsamlkeycloakmapper

Transforming LDAP group memberships to SAML Attributes in Keycloak


I need to transform the group memberships from an external LDAP directory into a SAML attribute within a SAML session using Keycloak. There will be an undefined number of group memberships for each user. The group name will have a tenant ID for Amazon AWS and the defined role for the user within Amazon (eg. AWS-11111111111-Administrator), so I am quite sure that the way has to be to use the JavaScript Mapper in the client configuration and do some substring modification.

Example for LDAP Groups (Muliple Groups per user)

AWS-11111111111-Administrator
AWS-11111111111-Contributer

SAML Attributes will have to look like:

arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Administrator
arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Contributer

Solution

  • I helped myself with this. The biggest part of the issue for me was the missing "test-button" to verify what the code is doing. Also, finding out that a simple Java Script Array is not iterated at the end (other than the Mouse-Over hints are saying).

    You need to keep in mind that this is the server-side Nashorn interpreter so it has not much to do with Javascript that usually runs in the browser... sorry for potentual inaccuracy within my question:

    /**
    
    
     * Available variables: 
     * user - the current user
     * realm - the current realm
     * clientSession - the current clientSession
     * userSession - the current userSession
     * keycloakSession - the current userSession
     */
    
    
    //insert your code here...
    
    
    // use the Identifier variable to filter the relevant groups for this client
    var identifier = 'aws'; 
    
    var StringArray = Java.type("java.lang.String[]");
    var ArrayList = Java.type('java.util.ArrayList');
    
    var GroupSet = user.getGroups();
    var Output = new ArrayList();
    var identifier = identifier.toLowerCase();
    
    for each (var group in GroupSet) {
        if (group.getName().toLowerCase().contains(identifier)){
        var GroupNameArray = (group.getName().split('-'));
        var tenant = GroupNameArray[2];
        var role = GroupNameArray[3];
        Output.add("Arn:aws:iam::"+tenant+":saml-provider/company,arn:aws:iam::"+tenant+":role/"+role);
        }
    }
    
    Output;