[KeyCloak 22-b2] Group Membership is lost in SCIM call, when users are loaded from LDAP.

[jekahn]

Hi all!

Hopefully this is a quick misconfiguration issue. Seems when I load User & Groups from an LDAP, the Get User SCIM call doesnt return the groups or the Get Groups SCIM call, doesn't return the members.

I can see in the KeyCloak admin UI, the membership is fine on both.

When I create a user and group in the UI (not imported) everything comes back fine.

Thanks all!

Appreciate any help!

[Captain-P-Goldfish]

Ah I see. This is no configuration problem but might hopefully be solved with a configuration. the SCIM for Keycloak plugin is looking directly on the database for user-group-relationships forgetting that there might be a user-federation between. This was done due to some testcases with poor performance. Unfortunately I didn't think twice that I would exclude federations in this way. If I look into the keycloaks ldap configuration it seems that only users can be synced with the keycloak-database. Or is it possible to also synchronize the groups?

If groups cannot be synced I will need to add an additional solution for this problem. But this might effect performance to a certain degree based on how much the SCIM endpoints are used and how many users are assigned to a group.

[jekahn]

Hi 👋 @Captain-P-Goldfish ! Appreciate the feedback!

I was able to sync both -- and I can see the membership in the KeyCloak Admin Console.

I can see the relationship between User and Groups on both:

Im not sure if there is something different to make sure they groups are synced.

I tried messing around with the mode on the group-mapper -- and I assume they would be synced to the DB.

[Captain-P-Goldfish]

Okay, I was able to find the source of the problem. When the groups are synchronized from LDAP to keycloak the group-relations are not. They are accessed from the LDAP directly and cached afterwards to have a better and faster access to these mappings. I can fix this issue. I should have it ready until the start of next week.

[jekahn]

You are the best! Thanks so much! Saves me from recreating all the users!

[Captain-P-Goldfish]

I added a new configuration option that allows to toggle between the two implementations. The explanation can be seen on the screenshot. So if I provide the next release you need to explicitly toggle this feature on.

[jekahn]

Thank you so much! Appreciate the speedy work!

I will look out for the updated jar!

[jekahn]

Tested the Updated Jar!

It works perfect! Thanks so much!

{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "id": "39c8ae29-c1a2-4985-b2b5-80546b39fcce", "userName": "ceadmin", "active": true, "emails": [ { "value": "ceadmin@sample", "primary": true } ], "name": { "familyName": "CEAdmin" }, "groups": [ { "value": "9be1b07e-db39-4d8e-92cc-fc6bb3b6a7bc", "display": "AllSharedUsers", "type": "direct" }, { "value": "114d862d-4bcb-43db-82ac-5ecc243eeb30", "display": "P8Admins", "type": "direct" }, { "value": "907bbdd1-7f3c-418b-82ab-c6e301c7ba6a", "display": "OSAdminGroup", "type": "direct" }, { "value": "0c12e429-aad9-40d9-955b-3604626082a8", "display": "CEAdminGroup", "type": "direct" } ],