Decouple Identity provider mappers from RealmModel (#32251)

* Decouple Identity provider mappers from RealmModel Closes #31731 Signed-off-by: vramik <vramik@redhat.com>
2024-08-22 17:05:19 +02:00 · 2024-08-22 17:05:19 +02:00 · d63c0fbd13
commit d63c0fbd13
parent 4450e0e455
24 changed files with 434 additions and 177 deletions
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
@ -1175,55 +1175,37 @@ public class RealmAdapter implements CachedRealmModel {

    @Override
    public Stream<IdentityProviderMapperModel> getIdentityProviderMappersStream() {
-        if (isUpdated()) return updated.getIdentityProviderMappersStream();
-        return cached.getIdentityProviderMapperSet().stream();
+        return session.identityProviders().getMappersStream();
    }

    @Override
    public Stream<IdentityProviderMapperModel> getIdentityProviderMappersByAliasStream(String brokerAlias) {
-        if (isUpdated()) return updated.getIdentityProviderMappersByAliasStream(brokerAlias);
-        Set<IdentityProviderMapperModel> mappings = new HashSet<>(cached.getIdentityProviderMappers().getList(brokerAlias));
-        return mappings.stream();
+        return session.identityProviders().getMappersByAliasStream(brokerAlias);
    }

    @Override
    public IdentityProviderMapperModel addIdentityProviderMapper(IdentityProviderMapperModel model) {
-        getDelegateForUpdate();
-        return updated.addIdentityProviderMapper(model);
+        return session.identityProviders().createMapper(model);
    }

    @Override
    public void removeIdentityProviderMapper(IdentityProviderMapperModel mapping) {
-        getDelegateForUpdate();
-        updated.removeIdentityProviderMapper(mapping);
+        session.identityProviders().removeMapper(mapping);
    }

    @Override
    public void updateIdentityProviderMapper(IdentityProviderMapperModel mapping) {
-        getDelegateForUpdate();
-        updated.updateIdentityProviderMapper(mapping);
+        session.identityProviders().updateMapper(mapping);
    }

    @Override
    public IdentityProviderMapperModel getIdentityProviderMapperById(String id) {
-        if (isUpdated()) return updated.getIdentityProviderMapperById(id);
-        for (List<IdentityProviderMapperModel> models : cached.getIdentityProviderMappers().values()) {
-            for (IdentityProviderMapperModel model : models) {
-                if (model.getId().equals(id)) return model;
-            }
-        }
-        return null;
+        return session.identityProviders().getMapperById(id);
    }

    @Override
    public IdentityProviderMapperModel getIdentityProviderMapperByName(String alias, String name) {
-        if (isUpdated()) return updated.getIdentityProviderMapperByName(alias, name);
-        List<IdentityProviderMapperModel> models = cached.getIdentityProviderMappers().getList(alias);
-        if (models == null) return null;
-        for (IdentityProviderMapperModel model : models) {
-            if (model.getName().equals(name)) return model;
-        }
-        return null;
+        return session.identityProviders().getMapperByName(alias, name);
    }

    @Override
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
@ -39,7 +39,6 @@ import org.keycloak.models.CibaConfig;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientScopeModel;
 import org.keycloak.models.GroupModel;
-import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.models.OAuth2DeviceConfig;
 import org.keycloak.models.OTPPolicy;
 import org.keycloak.models.ParConfig;
@ -158,18 +157,12 @@ public class CachedRealm extends AbstractExtendableRevisioned {
    protected String defaultRoleId;
    private boolean allowUserManagedAccess;

-    public Set<IdentityProviderMapperModel> getIdentityProviderMapperSet() {
-        return identityProviderMapperSet;
-    }
-
    protected List<String> defaultGroups;
    protected List<String> defaultDefaultClientScopes = new LinkedList<>();
    protected List<String> optionalDefaultClientScopes = new LinkedList<>();
    protected boolean internationalizationEnabled;
    protected Set<String> supportedLocales;
    protected String defaultLocale;
-    protected MultivaluedHashMap<String, IdentityProviderMapperModel> identityProviderMappers = new MultivaluedHashMap<>();
-    protected Set<IdentityProviderMapperModel> identityProviderMapperSet;

    protected Map<String, String> attributes;

@ -245,13 +238,6 @@ public class CachedRealm extends AbstractExtendableRevisioned {
        requiredCredentials = model.getRequiredCredentialsStream().collect(Collectors.toList());
        userActionTokenLifespans = Collections.unmodifiableMap(new HashMap<>(model.getUserActionTokenLifespans()));

-        this.identityProviderMapperSet = model.getIdentityProviderMappersStream().collect(Collectors.toSet());
-        for (IdentityProviderMapperModel mapper : identityProviderMapperSet) {
-            identityProviderMappers.add(mapper.getIdentityProviderAlias(), mapper);
-        }
-
-
-
        smtpConfig = model.getSmtpConfig();
        browserSecurityHeaders = model.getBrowserSecurityHeaders();

@ -617,10 +603,6 @@ public class CachedRealm extends AbstractExtendableRevisioned {
        return defaultLocale;
    }

-    public MultivaluedHashMap<String, IdentityProviderMapperModel> getIdentityProviderMappers() {
-        return identityProviderMappers;
-    }
-
    public Map<String, AuthenticationFlowModel> getAuthenticationFlows() {
        return authenticationFlows;
    }
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/idp/CachedIdentityProviderMapper.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/idp/CachedIdentityProviderMapper.java
@ -0,0 +1,44 @@
+/*
+ * Copyright 2024 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.cache.infinispan.idp;
+
+import org.keycloak.models.IdentityProviderMapperModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned;
+import org.keycloak.models.cache.infinispan.entities.InRealm;
+
+public class CachedIdentityProviderMapper extends AbstractRevisioned implements InRealm {
+
+    private final RealmModel realm;
+    private final IdentityProviderMapperModel mapper;
+
+    public CachedIdentityProviderMapper(Long revision, RealmModel realm, String cacheKey, IdentityProviderMapperModel mapper) {
+        super(revision, cacheKey);
+        this.realm = realm;
+        this.mapper = mapper;
+    }
+
+    @Override
+    public String getRealm() {
+        return realm.getId();
+    }
+
+    public IdentityProviderMapperModel getIdentityProviderMapper() {
+        return mapper;
+    }
+
+}
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/idp/InfinispanIDPProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/idp/InfinispanIDPProvider.java
@ -20,8 +20,10 @@ import java.util.Map;
 import java.util.stream.Stream;
 import org.keycloak.common.Profile;
 import org.keycloak.models.IDPProvider;
+import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelException;
 import org.keycloak.models.OrganizationModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.cache.CacheRealmProvider;
@ -52,6 +54,10 @@ public class InfinispanIDPProvider implements IDPProvider {
        return realm.getId() + "." + alias + IDP_ALIAS_KEY_SUFFIX;
    }

+    private static String cacheKeyIdpMapperAliasName(RealmModel realm, String alias, String name) {
+        return realm.getId() + "." + alias + IDP_ALIAS_KEY_SUFFIX + "." + name;
+    }
+
    @Override
    public IdentityProviderModel create(IdentityProviderModel model) {
        registerCountInvalidation();
@ -167,6 +173,81 @@ public class InfinispanIDPProvider implements IDPProvider {
        idpDelegate.close();
    }

+    @Override
+    public IdentityProviderMapperModel createMapper(IdentityProviderMapperModel model) {
+        return idpDelegate.createMapper(model);
+    }
+
+    @Override
+    public void updateMapper(IdentityProviderMapperModel model) {
+        registerIDPMapperInvalidation(model);
+        idpDelegate.updateMapper(model);
+    }
+
+    @Override
+    public boolean removeMapper(IdentityProviderMapperModel model) {
+        registerIDPMapperInvalidation(model);
+        return idpDelegate.removeMapper(model);
+    }
+
+    @Override
+    public void removeAllMappers() {
+        // no need to invalidate each entry in cache, removeAllMappers() is (currently) called only in case the realm is being deleted
+        idpDelegate.removeAllMappers();
+    }
+
+    @Override
+    public IdentityProviderMapperModel getMapperById(String id) {
+        CachedIdentityProviderMapper cached = realmCache.getCache().get(id, CachedIdentityProviderMapper.class);
+        String realmId = getRealm().getId();
+        if (cached != null && !cached.getRealm().equals(realmId)) {
+            cached = null;
+        }
+
+        if (cached == null) {
+            Long loaded = realmCache.getCache().getCurrentRevision(id);
+            IdentityProviderMapperModel model = idpDelegate.getMapperById(id);
+            if (model == null) return null;
+            if (isInvalid(id)) return model;
+            cached = new CachedIdentityProviderMapper(loaded, getRealm(), id, model);
+            realmCache.getCache().addRevisioned(cached, realmCache.getStartupRevision());
+        } else if (isInvalid(id)) {
+            return idpDelegate.getMapperById(id);
+        }
+        return cached.getIdentityProviderMapper();
+    }
+
+    @Override
+    public IdentityProviderMapperModel getMapperByName(String identityProviderAlias, String name) {
+        String cacheKey = cacheKeyIdpMapperAliasName(getRealm(), identityProviderAlias, name);
+
+        if (isInvalid(cacheKey)) {
+            return idpDelegate.getMapperByName(identityProviderAlias, name);
+        }
+
+        CachedIdentityProviderMapper cached = realmCache.getCache().get(cacheKey, CachedIdentityProviderMapper.class);
+
+        if (cached == null) {
+            Long loaded = realmCache.getCache().getCurrentRevision(cacheKey);
+            IdentityProviderMapperModel model = idpDelegate.getMapperByName(identityProviderAlias, name);
+            if (model == null) return null;
+            cached = new CachedIdentityProviderMapper(loaded, getRealm(), cacheKey, model);
+            realmCache.getCache().addRevisioned(cached, realmCache.getStartupRevision());
+        }
+
+        return cached.getIdentityProviderMapper();
+    }
+
+    @Override
+    public Stream<IdentityProviderMapperModel> getMappersStream() {
+        return idpDelegate.getMappersStream();
+    }
+
+    @Override
+    public Stream<IdentityProviderMapperModel> getMappersByAliasStream(String identityProviderAlias) {
+        return idpDelegate.getMappersByAliasStream(identityProviderAlias);
+    }
+
    private void registerIDPInvalidation(IdentityProviderModel idp) {
        realmCache.registerInvalidation(idp.getInternalId());
        realmCache.registerInvalidation(cacheKeyIdpAlias(getRealm(), idp.getAlias()));
@ -176,6 +257,14 @@ public class InfinispanIDPProvider implements IDPProvider {
        realmCache.registerInvalidation(cacheKeyIdpCount(getRealm()));
    }

+    private void registerIDPMapperInvalidation(IdentityProviderMapperModel mapper) {
+        if (mapper.getId() == null) {
+            throw new ModelException("Identity Provider Mapper does not exist");
+        }
+        realmCache.registerInvalidation(mapper.getId());
+        realmCache.registerInvalidation(cacheKeyIdpMapperAliasName(getRealm(), mapper.getIdentityProviderAlias(), mapper.getName()));
+    }
+
    private RealmModel getRealm() {
        RealmModel realm = session.getContext().getRealm();
        if (realm == null) {
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaIDPProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaIDPProvider.java
@ -31,6 +31,7 @@ import jakarta.persistence.criteria.CriteriaQuery;
 import jakarta.persistence.criteria.MapJoin;
 import jakarta.persistence.criteria.Predicate;
 import jakarta.persistence.criteria.Root;
+import java.util.stream.Collectors;
 import org.hibernate.Session;
 import org.jboss.logging.Logger;
 import org.keycloak.broker.provider.IdentityProvider;
@ -38,11 +39,13 @@ import org.keycloak.broker.provider.IdentityProviderFactory;
 import org.keycloak.broker.social.SocialIdentityProvider;
 import org.keycloak.connections.jpa.JpaConnectionProvider;
 import org.keycloak.models.IDPProvider;
+import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ModelException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.jpa.entities.IdentityProviderEntity;
+import org.keycloak.models.jpa.entities.IdentityProviderMapperEntity;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.utils.StringUtil;

@ -163,6 +166,9 @@ public class JpaIDPProvider implements IDPProvider {
            // flush so that constraint violations are flagged and converted into model exception now rather than at the end of the tx.
            em.flush();

+            session.identityProviders().getMappersByAliasStream(alias).collect(Collectors.toList())
+                    .forEach(session.identityProviders()::removeMapper);
+
            // send identity provider removed event.
            RealmModel realm = this.getRealm();
            session.getKeycloakSessionFactory().publish(new RealmModel.IdentityProviderRemovedEvent() {
@ -313,6 +319,104 @@ public class JpaIDPProvider implements IDPProvider {
    public void close() {
    }

+    @Override
+    public IdentityProviderMapperModel createMapper(IdentityProviderMapperModel model) {
+        checkUniqueMapperNamePerIdentityProvider(model);
+
+        IdentityProviderMapperEntity entity = new IdentityProviderMapperEntity();
+        entity.setId(model.getId() == null ? KeycloakModelUtils.generateId() : model.getId());
+        entity.setName(model.getName());
+        entity.setIdentityProviderAlias(model.getIdentityProviderAlias());
+        entity.setIdentityProviderMapper(model.getIdentityProviderMapper());
+        entity.setRealmId(getRealm().getId());
+        entity.setConfig(model.getConfig());
+
+        em.persist(entity);
+        model.setId(entity.getId());
+
+        return model;
+    }
+
+    @Override
+    public void updateMapper(IdentityProviderMapperModel model) {
+        IdentityProviderMapperEntity entity = getMapperEntityById(model.getId(), true);
+        if (!model.getName().equals(entity.getName())) {
+            checkUniqueMapperNamePerIdentityProvider(model);
+        }
+
+        entity.setName(model.getName());
+        entity.setIdentityProviderAlias(model.getIdentityProviderAlias());
+        entity.setIdentityProviderMapper(model.getIdentityProviderMapper());
+        entity.setConfig(model.getConfig());
+    }
+
+    @Override
+    public boolean removeMapper(IdentityProviderMapperModel model) {
+        em.remove(getMapperEntityById(model.getId(), true));
+        return true;
+    }
+
+    @Override
+    public void removeAllMappers() {
+        CriteriaBuilder builder = em.getCriteriaBuilder();
+        CriteriaDelete<IdentityProviderMapperEntity> delete = builder.createCriteriaDelete(IdentityProviderMapperEntity.class);
+        Root<IdentityProviderMapperEntity> mapper = delete.from(IdentityProviderMapperEntity.class);
+        delete.where(builder.equal(mapper.get("realmId"), getRealm().getId()));
+        em.createQuery(delete).executeUpdate();
+    }
+
+    @Override
+    public IdentityProviderMapperModel getMapperById(String id) {
+        return toModel(getMapperEntityById(id, false));
+    }
+
+    @Override
+    public IdentityProviderMapperModel getMapperByName(String identityProviderAlias, String name) {
+        CriteriaBuilder builder = em.getCriteriaBuilder();
+        CriteriaQuery<IdentityProviderMapperEntity> query = builder.createQuery(IdentityProviderMapperEntity.class);
+        Root<IdentityProviderMapperEntity> mapper = query.from(IdentityProviderMapperEntity.class);
+
+        Predicate predicate = builder.and(
+                builder.equal(mapper.get("realmId"), getRealm().getId()),
+                builder.equal(mapper.get("identityProviderAlias"), identityProviderAlias),
+                builder.equal(mapper.get("name"), name));
+
+        TypedQuery<IdentityProviderMapperEntity> typedQuery = em.createQuery(query.select(mapper).where(predicate));
+        try {
+            return toModel(typedQuery.getSingleResult());
+        } catch (NoResultException nre) {
+            return null;
+        }
+    }
+
+    @Override
+    public Stream<IdentityProviderMapperModel> getMappersStream() {
+        CriteriaBuilder builder = em.getCriteriaBuilder();
+        CriteriaQuery<IdentityProviderMapperEntity> query = builder.createQuery(IdentityProviderMapperEntity.class);
+        Root<IdentityProviderMapperEntity> mapper = query.from(IdentityProviderMapperEntity.class);
+
+        Predicate predicate = builder.equal(mapper.get("realmId"), getRealm().getId());
+
+        TypedQuery<IdentityProviderMapperEntity> typedQuery = em.createQuery(query.select(mapper).where(predicate));
+
+        return closing(typedQuery.getResultStream().map(this::toModel));
+    }
+
+    @Override
+    public Stream<IdentityProviderMapperModel> getMappersByAliasStream(String identityProviderAlias) {
+        CriteriaBuilder builder = em.getCriteriaBuilder();
+        CriteriaQuery<IdentityProviderMapperEntity> query = builder.createQuery(IdentityProviderMapperEntity.class);
+        Root<IdentityProviderMapperEntity> mapper = query.from(IdentityProviderMapperEntity.class);
+
+        Predicate predicate = builder.and(
+                builder.equal(mapper.get("realmId"), getRealm().getId()),
+                builder.equal(mapper.get("identityProviderAlias"), identityProviderAlias));
+
+        TypedQuery<IdentityProviderMapperEntity> typedQuery = em.createQuery(query.select(mapper).where(predicate));
+
+        return closing(typedQuery.getResultStream().map(this::toModel));
+    }
+
    private IdentityProviderEntity getEntityById(String id, boolean failIfNotFound) {
        if (id == null) {
            if (failIfNotFound) {
@ -407,6 +511,42 @@ public class JpaIDPProvider implements IDPProvider {
        }
    }

+    private void checkUniqueMapperNamePerIdentityProvider(IdentityProviderMapperModel model) {
+        if (session.identityProviders().getMapperByName(model.getIdentityProviderAlias(), model.getName()) != null) {
+            throw new ModelException("Identity provider mapper name must be unique per identity provider");
+        }
+    }
+
+    private IdentityProviderMapperEntity getMapperEntityById(String id, boolean failIfNotFound) {
+        IdentityProviderMapperEntity entity = em.find(IdentityProviderMapperEntity.class, id);
+
+        if (failIfNotFound && entity == null) {
+            throw new ModelException("Identity Provider Mapper with id [" + id + "] does not exist");
+        }
+
+        if (entity == null) return null;
+
+        // check realm to ensure this entity is fetched in the context of the correct realm.
+        if (!getRealm().getId().equals(entity.getRealmId())) {
+            throw new ModelException("Identity Provider Mapper with id [" + entity.getId() + "] does not belong to realm [" + getRealm().getName() + "]");
+        }
+
+        return entity;
+    }
+
+    private IdentityProviderMapperModel toModel(IdentityProviderMapperEntity entity) {
+        if (entity == null) return null;
+
+        IdentityProviderMapperModel mapping = new IdentityProviderMapperModel();
+        mapping.setId(entity.getId());
+        mapping.setName(entity.getName());
+        mapping.setIdentityProviderAlias(entity.getIdentityProviderAlias());
+        mapping.setIdentityProviderMapper(entity.getIdentityProviderMapper());
+        Map<String, String> config = entity.getConfig() == null ? new HashMap<>() : new HashMap<>(entity.getConfig());
+        mapping.setConfig(config);
+        return mapping;
+    }
+
    private RealmModel getRealm() {
        RealmModel realm = session.getContext().getRealm();
        if (realm == null) {
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
@ -205,6 +205,7 @@ public class JpaRealmProvider implements RealmProvider, ClientProvider, ClientSc
        session.groups().preRemove(adapter);

        session.identityProviders().removeAll();
+        session.identityProviders().removeAllMappers();

        em.createNamedQuery("removeClientInitialAccessByRealm")
                .setParameter("realm", realm).executeUpdate();
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
@ -77,6 +77,7 @@ public class RealmAdapter implements StorageProviderRealmModel, JpaModel<RealmEn
        this.realm = realm;
    }

+    @Override
    public RealmEntity getEntity() {
        return realm;
    }
@ -225,7 +226,7 @@ public class RealmAdapter implements StorageProviderRealmModel, JpaModel<RealmEn
    @Override
    public Map<String, String> getAttributes() {
        // should always return a copy
-        Map<String, String> result = new HashMap<String, String>();
+        Map<String, String> result = new HashMap<>();
        for (RealmAttributeEntity attr : realm.getAttributes()) {
            result.put(attr.getName(), attr.getValue());
        }
@ -1279,106 +1280,37 @@ public class RealmAdapter implements StorageProviderRealmModel, JpaModel<RealmEn

    @Override
    public Stream<IdentityProviderMapperModel> getIdentityProviderMappersStream() {
-        return realm.getIdentityProviderMappers().stream().map(this::entityToModel);
+        return session.identityProviders().getMappersStream();
    }

    @Override
    public Stream<IdentityProviderMapperModel> getIdentityProviderMappersByAliasStream(String brokerAlias) {
-        return realm.getIdentityProviderMappers().stream()
-                .filter(e -> Objects.equals(e.getIdentityProviderAlias(), brokerAlias))
-                .map(this::entityToModel);
+        return session.identityProviders().getMappersByAliasStream(brokerAlias);
    }

    @Override
    public IdentityProviderMapperModel addIdentityProviderMapper(IdentityProviderMapperModel model) {
-        if (getIdentityProviderMapperByName(model.getIdentityProviderAlias(), model.getName()) != null) {
-            throw new RuntimeException("identity provider mapper name must be unique per identity provider");
-        }
-        String id = KeycloakModelUtils.generateId();
-        IdentityProviderMapperEntity entity = new IdentityProviderMapperEntity();
-        entity.setId(id);
-        entity.setName(model.getName());
-        entity.setIdentityProviderAlias(model.getIdentityProviderAlias());
-        entity.setIdentityProviderMapper(model.getIdentityProviderMapper());
-        entity.setRealm(this.realm);
-        entity.setConfig(model.getConfig());
-
-        em.persist(entity);
-        this.realm.getIdentityProviderMappers().add(entity);
-        return entityToModel(entity);
-    }
-
-    protected IdentityProviderMapperEntity getIdentityProviderMapperEntity(String id) {
-        for (IdentityProviderMapperEntity entity : this.realm.getIdentityProviderMappers()) {
-            if (entity.getId().equals(id)) {
-                return entity;
-            }
-        }
-        return null;
-
-    }
-
-    protected IdentityProviderMapperEntity getIdentityProviderMapperEntityByName(String alias, String name) {
-        for (IdentityProviderMapperEntity entity : this.realm.getIdentityProviderMappers()) {
-            if (entity.getIdentityProviderAlias().equals(alias) && entity.getName().equals(name)) {
-                return entity;
-            }
-        }
-        return null;
-
+        return session.identityProviders().createMapper(model);
    }

    @Override
    public void removeIdentityProviderMapper(IdentityProviderMapperModel mapping) {
-        IdentityProviderMapperEntity toDelete = getIdentityProviderMapperEntity(mapping.getId());
-        if (toDelete != null) {
-            this.realm.getIdentityProviderMappers().remove(toDelete);
-            em.remove(toDelete);
-        }
-
+        session.identityProviders().removeMapper(mapping);
    }

    @Override
    public void updateIdentityProviderMapper(IdentityProviderMapperModel mapping) {
-        IdentityProviderMapperEntity entity = getIdentityProviderMapperEntity(mapping.getId());
-        entity.setIdentityProviderAlias(mapping.getIdentityProviderAlias());
-        entity.setIdentityProviderMapper(mapping.getIdentityProviderMapper());
-        if (entity.getConfig() == null) {
-            entity.setConfig(mapping.getConfig());
-        } else {
-            entity.getConfig().clear();
-            if (mapping.getConfig() != null) {
-                entity.getConfig().putAll(mapping.getConfig());
-            }
-        }
-        em.flush();
-
+        session.identityProviders().updateMapper(mapping);
    }

    @Override
    public IdentityProviderMapperModel getIdentityProviderMapperById(String id) {
-        IdentityProviderMapperEntity entity = getIdentityProviderMapperEntity(id);
-        if (entity == null) return null;
-        return entityToModel(entity);
+        return session.identityProviders().getMapperById(id);
    }

    @Override
    public IdentityProviderMapperModel getIdentityProviderMapperByName(String alias, String name) {
-        IdentityProviderMapperEntity entity = getIdentityProviderMapperEntityByName(alias, name);
-        if (entity == null) return null;
-        return entityToModel(entity);
-    }
-
-    protected IdentityProviderMapperModel entityToModel(IdentityProviderMapperEntity entity) {
-        IdentityProviderMapperModel mapping = new IdentityProviderMapperModel();
-        mapping.setId(entity.getId());
-        mapping.setName(entity.getName());
-        mapping.setIdentityProviderAlias(entity.getIdentityProviderAlias());
-        mapping.setIdentityProviderMapper(entity.getIdentityProviderMapper());
-        Map<String, String> config = new HashMap<String, String>();
-        if (entity.getConfig() != null) config.putAll(entity.getConfig());
-        mapping.setConfig(config);
-        return mapping;
+        return session.identityProviders().getMapperByName(alias, name);
    }

    @Override
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/IdentityProviderMapperEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/IdentityProviderMapperEntity.java
@ -23,10 +23,8 @@ import jakarta.persistence.CollectionTable;
 import jakarta.persistence.Column;
 import jakarta.persistence.ElementCollection;
 import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
 import jakarta.persistence.Id;
 import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
 import jakarta.persistence.MapKeyColumn;
 import jakarta.persistence.Table;
 import java.util.Map;
@ -58,9 +56,8 @@ public class IdentityProviderMapperEntity {
    @CollectionTable(name="IDP_MAPPER_CONFIG", joinColumns={ @JoinColumn(name="IDP_MAPPER_ID") })
    private Map<String, String> config;

-    @ManyToOne(fetch = FetchType.LAZY)
-    @JoinColumn(name = "REALM_ID")
-    private RealmEntity realm;
+    @Column(name = "REALM_ID")
+    private String realmId;

    public String getId() {
        return id;
@ -94,12 +91,12 @@ public class IdentityProviderMapperEntity {
        this.identityProviderMapper = identityProviderMapper;
    }

-    public RealmEntity getRealm() {
-        return realm;
+    public String getRealmId() {
+        return realmId;
    }

-    public void setRealm(RealmEntity realm) {
-        this.realm = realm;
+    public void setRealmId(String realmId) {
+        this.realmId = realmId;
    }

    public Map<String, String> getConfig() {
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
@ -187,9 +187,6 @@ public class RealmEntity {
    @Column(name="DEFAULT_ROLE")
    protected String defaultRoleId;

-    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
-    Collection<IdentityProviderMapperEntity> identityProviderMappers = new LinkedList<>();
-
    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
    Collection<AuthenticatorConfigEntity> authenticators = new LinkedList<>();

@ -640,17 +637,6 @@ public class RealmEntity {
        this.defaultLocale = defaultLocale;
    }

-    public Collection<IdentityProviderMapperEntity> getIdentityProviderMappers() {
-        if (identityProviderMappers == null) {
-            identityProviderMappers = new LinkedList<>();
-        }
-        return identityProviderMappers;
-    }
-
-    public void setIdentityProviderMappers(Collection<IdentityProviderMapperEntity> identityProviderMappers) {
-        this.identityProviderMappers = identityProviderMappers;
-    }
-
    public Collection<AuthenticatorConfigEntity> getAuthenticatorConfigs() {
        if (authenticators == null) {
            authenticators = new LinkedList<>();
--- a/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java
+++ b/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java
@ -337,7 +337,7 @@ public class DefaultExportImportManager implements ExportImportManager {
        }

        importIdentityProviders(rep, newRealm, session);
-        importIdentityProviderMappers(rep, newRealm);
+        importIdentityProviderMappers(rep, session);

        Map<String, ClientScopeModel> clientScopes = new HashMap<>();
        if (rep.getClientScopes() != null) {
@ -561,10 +561,10 @@ public class DefaultExportImportManager implements ExportImportManager {
        }
    }

-    private static void importIdentityProviderMappers(RealmRepresentation rep, RealmModel newRealm) {
+    private static void importIdentityProviderMappers(RealmRepresentation rep, KeycloakSession session) {
        if (rep.getIdentityProviderMappers() != null) {
            for (IdentityProviderMapperRepresentation representation : rep.getIdentityProviderMappers()) {
-                newRealm.addIdentityProviderMapper(RepresentationToModel.toModel(representation));
+                session.identityProviders().createMapper(RepresentationToModel.toModel(representation));
            }
        }
    }
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/AbstractConfigPropertySynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/AbstractConfigPropertySynchronizer.java
@ -64,7 +64,7 @@ public abstract class AbstractConfigPropertySynchronizer<T extends ProviderEvent
                    "Reference of type '%s' changed from '%s' to '%s' in realm '%s'. Adjusting the reference from mapper '%s' of IDP '%s'.",
                    configPropertyName, configuredValue, newConfiguredValue, realm.getName(), idpMapper.getName(),
                    idpMapper.getIdentityProviderAlias());
-            realm.updateIdentityProviderMapper(idpMapper);
+            getKeycloakSession(event).identityProviders().updateMapper(idpMapper);
        }
    }

--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/ConfigSyncEventListener.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/ConfigSyncEventListener.java
@ -51,12 +51,7 @@ public final class ConfigSyncEventListener implements ProviderEventListener {
                LOG.debugf("Synchronizer %s matches event: %s", configSynchronizer, event);

                if (realmMappers == null) {
-                    /*
-                     * an event always refers to just one realm, so we can use an arbitrary synchronizer to extract the
-                     * realm
-                     */
-                    RealmModel realm = configSynchronizer.extractRealm(event);
-                    realmMappers = realm.getIdentityProviderMappersStream()
+                    realmMappers = configSynchronizer.getKeycloakSession(event).identityProviders().getMappersStream()
                            .collect(Collectors.toList());
                }

--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/ConfigSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/ConfigSynchronizer.java
@ -18,6 +18,7 @@
 package org.keycloak.broker.provider.mappersync;

 import org.keycloak.models.IdentityProviderMapperModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.provider.ProviderEvent;

@ -31,5 +32,7 @@ public interface ConfigSynchronizer<T extends ProviderEvent> {

    RealmModel extractRealm(T event);

+    KeycloakSession getKeycloakSession(T event);
+
    void handleEvent(T event, IdentityProviderMapperModel idpMapper);
 }
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/GroupConfigPropertyByPathSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/GroupConfigPropertyByPathSynchronizer.java
@ -19,6 +19,7 @@ package org.keycloak.broker.provider.mappersync;

 import org.keycloak.broker.provider.ConfigConstants;
 import org.keycloak.models.GroupModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.KeycloakModelUtils;

@ -49,6 +50,11 @@ public class GroupConfigPropertyByPathSynchronizer extends AbstractConfigPropert
        return event.getRealm();
    }

+    @Override
+    public KeycloakSession getKeycloakSession(GroupModel.GroupPathChangeEvent event) {
+        return event.getKeycloakSession();
+    }
+
    @Override
    public String getConfigPropertyName() {
        return ConfigConstants.GROUP;
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/RoleConfigPropertyByClientIdSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/RoleConfigPropertyByClientIdSynchronizer.java
@ -19,6 +19,7 @@ package org.keycloak.broker.provider.mappersync;

 import org.keycloak.broker.provider.ConfigConstants;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.KeycloakModelUtils;

@ -49,6 +50,11 @@ public class RoleConfigPropertyByClientIdSynchronizer
        return event.getUpdatedClient().getRealm();
    }

+    @Override
+    public KeycloakSession getKeycloakSession(ClientModel.ClientIdChangeEvent event) {
+        return event.getKeycloakSession();
+    }
+
    @Override
    public String getConfigPropertyName() {
        return ConfigConstants.ROLE;
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/RoleConfigPropertyByRoleNameSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync/RoleConfigPropertyByRoleNameSynchronizer.java
@ -18,6 +18,7 @@
 package org.keycloak.broker.provider.mappersync;

 import org.keycloak.broker.provider.ConfigConstants;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
@ -49,6 +50,11 @@ public class RoleConfigPropertyByRoleNameSynchronizer
        return event.getRealm();
    }

+    @Override
+    public KeycloakSession getKeycloakSession(RoleModel.RoleNameChangeEvent event) {
+        return event.getKeycloakSession();
+    }
+
    @Override
    public String getConfigPropertyName() {
        return ConfigConstants.ROLE;
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@ -517,7 +517,7 @@ public class ModelToRepresentation {
            List<IdentityProviderRepresentation> identityProviders = session.identityProviders().getAllStream()
                    .map(provider -> toRepresentation(realm, provider, export)).collect(Collectors.toList());
            rep.setIdentityProviders(identityProviders);
-            List<IdentityProviderMapperRepresentation> identityProviderMappers = realm.getIdentityProviderMappersStream()
+            List<IdentityProviderMapperRepresentation> identityProviderMappers = session.identityProviders().getMappersStream()
                    .map(ModelToRepresentation::toRepresentation).collect(Collectors.toList());
            rep.setIdentityProviderMappers(identityProviderMappers);
        }
--- a/server-spi/src/main/java/org/keycloak/models/IDPProvider.java
+++ b/server-spi/src/main/java/org/keycloak/models/IDPProvider.java
@ -245,4 +245,62 @@ public interface IDPProvider extends Provider {
                    .and(Stream.of(values()).map(LoginFilter::getFilter).reduce(Predicate::and).get());
        }
    }
+
+    /**
+     * Creates a new identity provider mapper from the specified model.
+     *
+     * @param model a {@link IdentityProviderMapperModel} containing the identity provider mapper's data.
+     * @return the model of the created identity provider mapper.
+     */
+    IdentityProviderMapperModel createMapper(IdentityProviderMapperModel model);
+
+    /**
+     * Updates the identity provider mapper using the specified model.
+     *
+     * @param model a {@link IdentityProviderMapperModel} containing the identity provider mapper's data.
+     */
+    void updateMapper(IdentityProviderMapperModel model);
+
+    /**
+     * Removes the given identity provider mapper.
+     *
+     * @param model a {@link IdentityProviderMapperModel} to be deleted.
+     * @return {@code true} if an identity provider mapper was removed; {@code false} otherwise.
+     */
+    boolean removeMapper(IdentityProviderMapperModel model);
+
+    /**
+     * Removes all identity provider mappers from the realm.
+     */
+    void removeAllMappers();
+
+    /**
+     * Obtains the identity provider mapper with the specified id.
+     *
+     * @param id the identity provider mapper's id.
+     * @return a reference to the identity provider mapper, or {@code null} if no mapper is found.
+     */
+    IdentityProviderMapperModel getMapperById(String id);
+
+    /**
+     * Obtains the identity provider mapper with the provided identity provider alias and name.
+     *
+     * @param identityProviderAlias the identity provider alias.
+     * @param name the identity provider mapper's name.
+     * @return a reference to the identity provider mapper, or {@code null} if no provider is found.
+     */
+    IdentityProviderMapperModel getMapperByName(String identityProviderAlias, String name);
+
+    /**
+     * Returns all identity provider mappers as a stream.
+     * @return Stream of {@link IdentityProviderMapperModel}. Never returns {@code null}.
+     */
+    Stream<IdentityProviderMapperModel> getMappersStream();
+
+    /**
+     * Returns identity provider mappers by the provided alias as a stream.
+     * @param identityProviderAlias {@code String} Identity provider alias to filter results.
+     * @return Stream of {@link IdentityProviderMapperModel} Never returns {@code null}.
+     */
+    Stream<IdentityProviderMapperModel> getMappersByAliasStream(String identityProviderAlias);
 }
--- a/server-spi/src/main/java/org/keycloak/models/RealmModel.java
+++ b/server-spi/src/main/java/org/keycloak/models/RealmModel.java
@ -475,20 +475,48 @@ public interface RealmModel extends RoleContainerModel {
    /**
     * Returns identity provider mappers as a stream.
     * @return Stream of {@link IdentityProviderMapperModel}. Never returns {@code null}.
+     * @deprecated Use {@link IDPProvider#getMappersStream()} instead.
     */
+    @Deprecated
    Stream<IdentityProviderMapperModel> getIdentityProviderMappersStream();

    /**
     * Returns identity provider mappers by the provided alias as a stream.
     * @param brokerAlias {@code String} Broker's alias to filter results.
     * @return Stream of {@link IdentityProviderMapperModel} Never returns {@code null}.
+     * @deprecated Use {@link IDPProvider#getMappersByAliasStream(String)} instead.
     */
+    @Deprecated
    Stream<IdentityProviderMapperModel> getIdentityProviderMappersByAliasStream(String brokerAlias);

+    /**
+     * @deprecated Use {@link IDPProvider#createMapper(IdentityProviderMapperModel)} instead.
+     */
+    @Deprecated
    IdentityProviderMapperModel addIdentityProviderMapper(IdentityProviderMapperModel model);
+
+    /**
+     * @deprecated Use {@link IDPProvider#removeMapper(IdentityProviderMapperModel)} instead.
+     */
+    @Deprecated
    void removeIdentityProviderMapper(IdentityProviderMapperModel mapping);
+
+    /**
+     * @deprecated Use {@link IDPProvider#updateMapper(IdentityProviderMapperModel)} instead.
+     */
+    @Deprecated
    void updateIdentityProviderMapper(IdentityProviderMapperModel mapping);
+
+    /**
+     * @deprecated Use {@link IDPProvider#getMapperById(String)} instead.
+     */
+    @Deprecated
    IdentityProviderMapperModel getIdentityProviderMapperById(String id);
+
+    /**
+     * @deprecated Use {@link IDPProvider#getMapperByName(String, String)} instead.
+     */
+    @Deprecated
    IdentityProviderMapperModel getIdentityProviderMapperByName(String brokerAlias, String name);


--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@ -436,11 +436,11 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP

            // Create the AttributeConsumingService if at least one attribute importer mapper exists
            List<Entry<IdentityProviderMapperModel, SamlMetadataDescriptorUpdater>> metadataAttrProviders = new ArrayList<>();
-            realm.getIdentityProviderMappersByAliasStream(getConfig().getAlias())
+            session.identityProviders().getMappersByAliasStream(getConfig().getAlias())
                .forEach(mapper -> {
                    IdentityProviderMapper target = (IdentityProviderMapper) session.getKeycloakSessionFactory().getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
-                    if (target instanceof SamlMetadataDescriptorUpdater)
-                        metadataAttrProviders.add(new java.util.AbstractMap.SimpleEntry<>(mapper, (SamlMetadataDescriptorUpdater)target));
+                    if (target instanceof SamlMetadataDescriptorUpdater samlMetadataDescriptorUpdater)
+                        metadataAttrProviders.add(new java.util.AbstractMap.SimpleEntry<>(mapper, samlMetadataDescriptorUpdater));
                });

            if (!metadataAttrProviders.isEmpty()) {
--- a/services/src/main/java/org/keycloak/partialimport/IdentityProviderMappersPartialImport.java
+++ b/services/src/main/java/org/keycloak/partialimport/IdentityProviderMappersPartialImport.java
@ -46,12 +46,12 @@ public class IdentityProviderMappersPartialImport extends AbstractPartialImport<

    @Override
    public String getModelId(RealmModel realm, KeycloakSession session, IdentityProviderMapperRepresentation idpMapperRep) {
-        return realm.getIdentityProviderMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName()).getId();
+        return session.identityProviders().getMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName()).getId();
    }

    @Override
    public boolean exists(RealmModel realm, KeycloakSession session, IdentityProviderMapperRepresentation idpMapperRep) {
-        return realm.getIdentityProviderMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName()) != null;
+        return session.identityProviders().getMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName()) != null;
    }

    @Override
@ -66,19 +66,20 @@ public class IdentityProviderMappersPartialImport extends AbstractPartialImport<

    @Override
    public void remove(RealmModel realm, KeycloakSession session, IdentityProviderMapperRepresentation idpMapperRep) {
-        IdentityProviderMapperModel idpMapper = RepresentationToModel.toModel(idpMapperRep);
-        realm.removeIdentityProviderMapper(idpMapper);
+        IdentityProviderMapperModel idpMapper = session.identityProviders().getMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName());
+        if (idpMapper != null) {
+            session.identityProviders().removeMapper(idpMapper);
+        }
    }

    @Override
    public void create(RealmModel realm, KeycloakSession session, IdentityProviderMapperRepresentation idpMapperRep) {
-        IdentityProviderMapperModel existing = realm.getIdentityProviderMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName());
-        if(existing != null) {
-            realm.removeIdentityProviderMapper(existing);
+        IdentityProviderMapperModel existing = session.identityProviders().getMapperByName(idpMapperRep.getIdentityProviderAlias(), idpMapperRep.getName());
+        if (existing != null) {
+            session.identityProviders().removeMapper(existing);
        }
-        idpMapperRep.setId(KeycloakModelUtils.generateId());
        IdentityProviderMapperModel idpMapper = RepresentationToModel.toModel(idpMapperRep);
-        realm.addIdentityProviderMapper(idpMapper);
+        session.identityProviders().createMapper(idpMapper);
    }

 }
--- a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
@ -574,7 +574,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
        String providerId = identityProviderConfig.getAlias();

        context.getIdp().preprocessFederatedIdentity(session, realm, context);
-        Set<IdentityProviderMapperModel> mappers = realm.getIdentityProviderMappersByAliasStream(context.getIdpConfig().getAlias())
+        Set<IdentityProviderMapperModel> mappers = session.identityProviders().getMappersByAliasStream(context.getIdpConfig().getAlias())
                .collect(Collectors.toSet());
        KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
        for (IdentityProviderMapperModel mapper : mappers) {
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@ -543,7 +543,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal

        context.getIdp().preprocessFederatedIdentity(session, realmModel, context);
        KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
-        realmModel.getIdentityProviderMappersByAliasStream(context.getIdpConfig().getAlias()).forEach(mapper -> {
+        session.identityProviders().getMappersByAliasStream(context.getIdpConfig().getAlias()).forEach(mapper -> {
            IdentityProviderMapper target = (IdentityProviderMapper) sessionFactory
                    .getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
            target.preprocessFederatedIdentity(session, realmModel, mapper, context);
@ -729,7 +729,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal

                context.getIdp().importNewUser(session, realmModel, federatedUser, context);
                KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
-                realmModel.getIdentityProviderMappersByAliasStream(providerAlias).forEach(mapper -> {
+                session.identityProviders().getMappersByAliasStream(providerAlias).forEach(mapper -> {
                    IdentityProviderMapper target = (IdentityProviderMapper) sessionFactory
                            .getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
                    target.importNewUser(session, realmModel, federatedUser, mapper, context);
@ -1052,7 +1052,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
        updateToken(context, federatedUser, federatedIdentityModel);
        context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context);
        KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
-        realmModel.getIdentityProviderMappersByAliasStream(context.getIdpConfig().getAlias()).forEach(mapper -> {
+        session.identityProviders().getMappersByAliasStream(context.getIdpConfig().getAlias()).forEach(mapper -> {
            IdentityProviderMapper target = (IdentityProviderMapper) sessionFactory
                    .getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
            IdentityProviderMapperSyncModeDelegate.delegateUpdateBrokeredUser(session, realmModel, federatedUser, mapper, context, target);
--- a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
@ -344,7 +344,7 @@ public class IdentityProviderResource {
            throw new jakarta.ws.rs.NotFoundException();
        }

-        return realm.getIdentityProviderMappersByAliasStream(identityProviderModel.getAlias())
+        return session.identityProviders().getMappersByAliasStream(identityProviderModel.getAlias())
                .map(ModelToRepresentation::toRepresentation);
    }

@ -368,7 +368,8 @@ public class IdentityProviderResource {

        IdentityProviderMapperModel model = RepresentationToModel.toModel(mapper);
        try {
-            model = realm.addIdentityProviderMapper(model);
+//            model = realm.addIdentityProviderMapper(model);
+            model = session.identityProviders().createMapper(model);
        } catch (Exception e) {
            throw ErrorResponse.error("Failed to add mapper '" + model.getName() + "' to identity provider [" + identityProviderModel.getProviderId() + "].", Response.Status.BAD_REQUEST);
        }
@ -399,7 +400,7 @@ public class IdentityProviderResource {
            throw new jakarta.ws.rs.NotFoundException();
        }

-        IdentityProviderMapperModel model = realm.getIdentityProviderMapperById(id);
+        IdentityProviderMapperModel model = session.identityProviders().getMapperById(id);
        if (model == null) throw new NotFoundException("Model not found");
        return ModelToRepresentation.toRepresentation(model);
    }
@ -423,10 +424,10 @@ public class IdentityProviderResource {
            throw new jakarta.ws.rs.NotFoundException();
        }

-        IdentityProviderMapperModel model = realm.getIdentityProviderMapperById(id);
+        IdentityProviderMapperModel model = session.identityProviders().getMapperById(id);
        if (model == null) throw new NotFoundException("Model not found");
        model = RepresentationToModel.toModel(rep);
-        realm.updateIdentityProviderMapper(model);
+        session.identityProviders().updateMapper(model);
        adminEvent.operation(OperationType.UPDATE).resource(ResourceType.IDENTITY_PROVIDER_MAPPER).resourcePath(session.getContext().getUri()).representation(rep).success();

    }
@ -448,9 +449,9 @@ public class IdentityProviderResource {
            throw new jakarta.ws.rs.NotFoundException();
        }

-        IdentityProviderMapperModel model = realm.getIdentityProviderMapperById(id);
+        IdentityProviderMapperModel model = session.identityProviders().getMapperById(id);
        if (model == null) throw new NotFoundException("Model not found");
-        realm.removeIdentityProviderMapper(model);
+        session.identityProviders().removeMapper(model);
        adminEvent.operation(OperationType.DELETE).resource(ResourceType.IDENTITY_PROVIDER_MAPPER).resourcePath(session.getContext().getUri()).success();

    }