We are ging to use Keycloak as authorization server in combination with Active Directory (AD). The users and groups are actually synchronized from AD to Keycloak.
The users from AD can have their basic profile and one or more specific profiles. A profile is a set of user attributes and bunch of roles which depend on the project or office they are currently working for.
But nevertheless, there is only one username and password per user. The customer’s requirement is to avoid supplimentary users for the specific profiles.
During login it would be necessary to
-
authenticate the user according to his main profile
-
then check if more profiles are available
-
and if it is so, then ask the user which one to take.
-
activate the profile
I did these in a custom authenticator. I imported the “profiles” as groups into Keycloak.
During login I would like to take the attributes from the corresponding group and overwrite the same attributes (same name) in the current user (my way to activate it).
Problem: Although the overwriting works fine, the user data gets overwritten in Keycloak. I would need these attributes only in the current session. But with User.setAttribute() the new value is saved in Keycloak DB or cache.
I also consider this solution with this overwriting not as the best one. I would be glad to have a more elegant solution for this problem. What would be the best way to achiev these? Maybe there is some “out of the box” solution without enhancing Keycloak and overwriting user data.
Thank you in advance!!
Heinz