Description

Keycloak should support multiple parent groups on groups and users.

Discussion

No response

Motivation

We are synching Active Directory users and groups to Keycloak via the ldap user federation provider in conjunction with a group mapper of type group-ldap-mapper.

Productive AD structures often (mostly?) have structures with groups having multitple parent groups - whereas Keycloak group only may have a single parent. This causes LDAP sync to fail as long as the Preserve Group Inheritance switch in the group-ldap-mapper configuration is set. Disabling this switch results in losing the whole AD structure within Keycloak.

Thus, it would be extremely helpful if Keycloak could be extended to support multiple parent groups.

Details

First thoughts on the implementation after having had a look on the source code:

• extend database structure to allow multiple parents on a group by adding a n:m mapping table
• adjust LDAP sync code and unit tests to handle multiple parents
• adjust API to reflect multiple parents
• adjust user interface to either show the groups structure properly - or at least not to break if a group has multiple parent; a simplification could be to build the tree shown in the UI only based on the first parent of a group and show the other parents as additional information
• migrate existing data to the new group table structure