Restricted mapper ‘Group Membership’

tuxmaster · May 12, 2025, 6:13am

With the ‘Group Membership’ mapper, all groups of which the user is a member are transferred as one claim. However, there are cases where, for data protection reasons, only one group including its subgroups may be transferred. Unfortunately, I can’t find a way to restrict the mapper.

For example, the user is a member of the groups Foo.B and Bar.C. But for data protection reasons, only the group Foo and its subgroups (in this case B) may be transferred.

I would therefore be grateful for any tips.

Thank you

dasniko · May 12, 2025, 2:43pm

Keycloak does not support this ootb, you’d have to write a custom mapper.

tuxmaster · May 12, 2025, 3:14pm

Thanks.
And how do you do that? I couldn’t find anything about it in the documentation.

Topic		Replies	Views
"Claim to User Group" Mapper Getting advice authentication , identity-brokering , oidc	3	2657	June 8, 2021
Filter groups in Keycloak 20.0.1 Getting advice	6	1666	February 8, 2024
Users Group Membership not affected in Groups Members overview Getting advice admin-console , admin-rest , authentication , user-federation , ldap	0	541	September 12, 2022
Overwrite existing user role mapping based on IDP mapper of claim to Group in KC 23 Getting advice admin-console	0	39	November 12, 2024
LDAP federation mapper: memberOf	1	420	October 5, 2021

Restricted mapper ‘Group Membership’

Related topics