Keycloak and nested groups

Hi all,

I successfully installed and set up Keycloak as the new SSO provider via univention-app.

I then quickly noticed that nested groups from the LDAP are not resolved.

group: all < group: all.ch < group: all.ch.basel < user: maxmuster

In the OIDC token you see only contain the group all.ch.basel

          'groups' => [
                        '/Domain Users',
                        '/all.ch.basel'
                      ],

Is it possible to get the keycloak to resolve the nested groups correctly?
The memberOf in the user object can only list the direct groups, so it doesn’t help me either.

Greez
AlteSocke

I guess I have to correct myself here.

group: all < group: all.ch < group: all.ch.basel < user: maxmuster

seems to work.

However, we have the following scenario which does not work.

group: access-app1 < group: all < group: all.ch < group: all.ch.basel < user: maxmuster
group: access-app2 < group: all < group: all.ch < group: all.ch.basel < user: maxmuster

Greez
AlteSocke

https://forge.univention.org/bugzilla/show_bug.cgi?id=55787