Hello, Actually, the solution is to add this line to Apache configuration: OIDCClaimDelimiter ";" The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/templates/keystone-httpd.conf.j2). Jean-Francois > -----Original Message----- > From: Taltavull Jean-Francois > Sent: lundi, 1 février 2021 14:44 > To: openstack-discuss at lists.openstack.org > Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using > keycloak as IDP > > Hello, > > In order to implement identity federation, I've deployed (with OSA) keystone > (Ussuri) as Service Provider and Keycloak as IDP. > > As one can read at [1], "groups" can have multiple values and each value must > be separated by a ";" > > But, in the OpenID token sent by keycloak, groups are represented with a JSON > list and keystone fails to parse it well (only the first group of the list is mapped). > > Have any of you already faced this problem ? > > Thanks ! > > Jean-François > > [1] > https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combi > nations.html