Group claims from Keycloak (SAML)

Owned by Audun Røe (Unlicensed)
Last updated: Aug 06, 2020 by Steinar Line
2 min read

Managed groups in Keycloak are configured via Mappers.

You may alternatively wish to use Roles instead of Group claims. If so, you can skip the rest of this document. Roles can be defined per User, SAML client or Realm and more and gives an additional layer of abstraction and flexibility that is often useful. Keycloak automatically includes Role claims in the SAML token by default, but this can be limited using role scope mappings.

Refer to the Keycloak documentation for further details.

Kantega SSO treats Role claims the same as Group claims for the purpose of managed groups in the Atlassian application.

Synchronize groups from LDAP into Keycloak

If you’re using LDAP User Federation but can't see any of the LDAP groups in Keycloak, you probably need to add an group-ldap-mapper. Go to User Federation for your realm and select the LDAP in question. Create a mapper of type group-ldap-mapper, using the below screenshot as a reference (adjust group attribute names and object classes as appropriate for your LDAP).

Users should now appear with groups.

Configure the Group mapper

Navigate to the SAML client defined for your Atlassian app, and open the Mappers tab. There may already be existing mappers defined for other user properties.

Now create a Group mapper:


Once Keycloak has been configured to send group claims, a test should be run. If group claims are detected on the SAML Request, the test page will display this along with options for further configuration.