grant the new role from the saml token if it exist

grant the user with the new role from the saml token if it is a realm role in keycloak
2016-10-24 17:17:22 +02:00 · 2016-10-24 17:17:22 +02:00 · a119a46495
commit a119a46495
parent dcaac76b4b
1 changed files with 4 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java
+++ b/services/src/main/java/org/keycloak/broker/saml/mappers/AttributeToRoleMapper.java
@ -139,10 +139,12 @@ public class AttributeToRoleMapper extends AbstractIdentityProviderMapper {
    @Override
    public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
        String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
-        if (!isAttributePresent(mapperModel, context)) {
        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName);
+        if (!isAttributePresent(mapperModel, context)) {
            user.deleteRoleMapping(role);
+        }else{
+            user.grantRole(role);
        }

    }