Hi Christian I've committed a fix for https://issues.apache.org/jira/browse/CXF-4994 which allows to filter the groups based on some criterias like ("Role_%SCOPE_%ROLE%"). SCOPE is mapped based on the AppliesTo (URI) element to the STS. Then, you can provision users/roles with Syncope to an LDAP directory to which the CXF STS is connected as well. The issued SAML token contains the following role names instead of the original groups: Admin (Role_Myapp_Admin) User (Role_Myapp_User)
Thanks Oli ________________________________ From: [email protected] [[email protected]] on behalf of Christian Schneider [[email protected]] Sent: 29 April 2013 13:57 To: [email protected] Subject: Re: Assign roles to a user for a specific application I also faced this problem before. A common solution is to prefix the roles with the application name like: mail_admin, web_admin or similar. Are there other solutions/best practices to the problem that the roles often depend on the application or realm? Christian 2013/4/29 Oliver Wulff <[email protected]<mailto:[email protected]>> Hi there In our environment each application has its own roles assigned. Which means you might have the ADMIN role for application A but not for application B. Does Syncope already support this functionality? Or might it be supported in the future? To map this to LDAP, global (application/realm independent) roles could be defined in the entry "ou=groups" whereas application specific roles are defined in the entry "ou=<application id>,ou=groups,...". What do you think? Thanks Oli
