Skip to Content
Technical Articles
Author's profile photo Phani Kumar Arava

KeyCloak Identity Provision and Authentication for SAP CloudFoundry – Part 2

In continuation of our previous blog post , we will be focusing on adding the attributes which are being used by SAP CloudFoundry. This will be helpful for you to focus on transferring the groups and their access rights into the applications, whether they are a Simple Ui5 App, or a REST/ODATA API or it could be a Fiori Launchpad with a set of UI5 Apps embedded in them

The following are the attributes that get transferred from SAML to your Application.

User Attribute Assertion Attribute
First Name first_name
Last Name last_name
E-Mail mail
Groups Groups

We will have to configure our keycloak instance to pass the same to SAP XSUAA which will transfer the same to our Application(s)

Lets go back to our Clients to the Realm we have created in the previous tutorial and to the client we have created in our previous section.

Please use the mappers tab, to map your SAML attributes.

The mappings are already created as you can see in the screenshot. I will go into detail on two types of attributes.

  • User Property Mapper -> email, firstName, lastName



  • Group Mapper -> groups


Now that SAML Attributes are mapped. Lets see how we can map the groups from KeyCloak -> Roles Assignment in SAP CF.

You can create the User Groups and assign the same to user.

Now mapping this roles in SAP Cloudfoundry..


Backt to my Trust Management and configuring the roles to SAML. User in portal_admin will be assigned the Role Collection of AGX_PORTAL_ADMIN and so on..


In the final post we will be discussing about some more features like enabling social logins like facebook / Google /Twitter for keycloak and impersonate user identities.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo David Sooter
      David Sooter

      Hi Kumar,

      greate post. is there a part 3 comming?





      Author's profile photo Michael Greulich
      Michael Greulich

      Hi Kumar,

      thank you for this great posts.

      I added our keycloak and I created users in our BTP subaccount syncing name and email. Just the Role / Group mapping isn't working as expected. I created mappers and groups in keycloak exactly as you did in your example but the Role Collection isn't assigned.

      Does anyone have an idea what went wrong?

      Thanks and best regards,



      P.S.: I solved my issue. Thank you for this very helpful guide!!