Keycloak and nested groups

Hi all,

I successfully installed and set up Keycloak as the new SSO provider via univention-app.

I then quickly noticed that nested groups from the LDAP are not resolved.

group: all < group: < group: < user: maxmuster

In the OIDC token you see only contain the group

          'groups' => [
                        '/Domain Users',

Is it possible to get the keycloak to resolve the nested groups correctly?
The memberOf in the user object can only list the direct groups, so it doesn’t help me either.


I guess I have to correct myself here.

group: all < group: < group: < user: maxmuster

seems to work.

However, we have the following scenario which does not work.

group: access-app1 < group: all < group: < group: < user: maxmuster
group: access-app2 < group: all < group: < group: < user: maxmuster


A question for Univention:

If you use keycloak as a new SSO provider, but it doesn’t support nested groups, how do you get the builtin group Administrators into the keycloak correctly?

This group has nested groups and failed when opened in keycloak.

TEST-root@vmadfchucs01:~# univention-ldapsearch cn=administrators
# extended LDIF
# LDAPv3
# base <dc=int,dc=tux42,dc=ch> (default) with scope subtree
# filter: cn=administrators
# requesting: ALL

# Administrators, Builtin,
dn: cn=Administrators,cn=Builtin,dc=int,dc=tux42,dc=ch
sambaGroupType: 2
cn: Administrators
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
description: Administrators have complete and unrestricted access to the computer/domain
sambaSID: S-1-5-32-544
gidNumber: 5054
univentionObjectType: groups/group
univentionGroupType: -2147483643
memberUid: Administrator
memberUid: api-user
uniqueMember: uid=administrator,cn=users,dc=int,dc=tux42,dc=ch
uniqueMember: cn=domain admins,cn=groups,dc=int,dc=tux42,dc=ch
uniqueMember: cn=enterprise admins,cn=groups,dc=int,dc=tux42,dc=ch
uniqueMember: uid=api-user,cn=users,ou=internal,dc=int,dc=tux42,dc=ch


Best thanks for the answer


My Problem is that I even can’t get the Groups listed.

How you configured Keycloak as it shows Groups?

I’m very new with UCS and Keycloak.


hi @brix

Create a new mapper in the sser federation: 3. Configuration — Keycloak app 22.0.3


Hi @AlteSockenSuppe

Many thanks! It worked! And as usual…RTFM! :smirk:

As I’m used to…hours of try and error saves me from minutes of reading manuals! :wink: :rofl:

Best regards