Possible to use keycloak roles instead of groups for SSO auth?

We currently have Nexus hooked up to Keycloak for SSO authentication and it works as long as we assign users to groups with the matching Nexus roles. What we would like to do is instead assign users roles. When I do this and create a SAML mapper to insert the role list into the token instead of the group list, it doesn’t map it to the role when I’m authenticated into Nexus and I lose my privileges. Should this be possible? What am i missing? Thanks.

I believe it is possible but if I remember correctly you have to setup Keycloak in a particular way in order to get it to return the list of roles to Nexus Repository Manager. I think previously I had used a mapper to map the roles into an attribute that saml returns but I don’t remember the exact details.

Right. It seems like you should simply be able to use a role list mapper instead of the group list mapper in Keycloak, but when i do that my role doesn’t get set in Nexus. For reference, I did that in a different app that was expecting groups (basically replaced group list with role list) and it took it, but Nexus doesn’t seem to like it.

If you look at the user in the Users page does it show external roles? You might try turning com.sonatype.nexus.saml.internal.SamlRealm logging up to DEBUG in the UI. There should be a log message that lists the attributes we get back from the SAML principal "Authenticated SAML principal {} with attributes {} and friendly attributes {}". That may make the problem more obvious. It appears to me that our code looks into both the attributes and friendly attributes to find the roles (mapped by the groups attribute name).