Q1. What is the problem that you are trying to solve?
When using OIDC authentication (e.g. via Keycloak), user authentication works but role and group mapping is not supported, unlike with LDAP or Active Directory integrations. This creates an inconsistency where identity is centralized but authorization is not.
As a result, administrators must manually manage roles inside Passbolt or maintain a parallel LDAP/AD integration solely for role mapping.
The problem would be solved if roles and/or groups from the OIDC provider could be automatically mapped to Passbolt roles, enabling full identity and access lifecycle automation.
Q2 - Who is impacted?
Organizations using OIDC-based identity providers (e.g. Keycloak, Okta, Auth0, Azure AD with OIDC).
-
DevOps / security teams aiming for centralized IAM
-
Any company adopting SSO without LDAP/AD
-
Potentially a large portion of Enterprise Edition users
Q3 - Why is it important and/or urgent?
-
OIDC is a modern standard for authentication
-
Lack of role mapping prevents full automation of user provisioning
-
Manual role assignment is error-prone
-
Could block EE adoption for organizations without LDAP
Strategically, it aligns with centralized identity + authorization best practices.
Q4 - What is your proposed solution? (optional)
N/A
Q5. Community support
I am not allowed to create polls.