[KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Mon Feb 1 13:44:02 UTC 2021


In order to implement identity federation, I've deployed (with OSA) keystone (Ussuri) as Service Provider and Keycloak as IDP.

As one can read at [1], "groups" can have multiple values and each value must be separated by a ";"

But, in the OpenID token sent by keycloak, groups are represented with a JSON list and keystone fails to parse it well (only the first group of the list is mapped).

Have any of you already faced this problem ? 

Thanks !


[1] https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combinations.html

More information about the openstack-discuss mailing list