From a119a46495f1cea8f41e4729f177ddee7ffa9eae Mon Sep 17 00:00:00 2001
From: hassaneinaltememyictu <hassanein.altememy@ictu.nl>
Date: Mon, 24 Oct 2016 17:17:22 +0200
Subject: [PATCH] grant the new role from the saml token if it exist

grant the user with the new role from the saml token if it is a realm role in keycloak
---
 .../keycloak/broker/saml/mappers/AttributeToRoleMapper.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java b/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java
index 1b0f07ae24..cb1e35121e 100755
--- a/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java
+++ b/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java
@@ -139,10 +139,12 @@ public class AttributeToRoleMapper extends AbstractIdentityProviderMapper {
     @Override
     public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
         String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
+        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
+        if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName);
         if (!isAttributePresent(mapperModel, context)) {
-            RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
-            if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName);
             user.deleteRoleMapping(role);
+        }else{
+            user.grantRole(role);
         }
 
     }