<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 28 June 2016 at 15:28, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On 06/28/2016 01:35 AM, Stian Thorgersen wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
AFAIK you have one problem? About not all redirect URI included from the<br>
SAML entity descriptor. Is that what you are referring to or do you have<br>
other problems?<br>
<br>
In either case fix-ups should be performed by the client registration<br>
services, not in the CLI.<br>
<br>
<br>
<br>
* Keycloak has two ways to register a client (client registration<br>
service vs. REST API). The two methods do not produce the same client<br>
configuration (I suspect because they do not share common code in the<br>
server). How are you planning on addressing the discrepancies?<br>
<br>
<br>
The task of the CLI is not to address any discrepancies. It's just<br>
invoking the client reg services. Any discrepancies should be handled by<br>
the client reg services themselves. Have you created JIRA's for these or<br>
can you list them to us?<br>
</blockquote>
<br></span>
I think these are all things previously discussed, but here is a recap:<br>
<br>
* Force POST Binding must be enabled (saml.force.post.binding). This is an example of where the client registration service and the REST API have different behavior. One of them produces a ClientRepresentation with this SAML attribute defaulted to False and the other defaults it to True. I believe the consensus is that this flag needs to be removed because it's inconsistent with the SAML spec. On the client side we need to know if we are talking to a server which implements the flag or not, so far we do not have that check implemented.<br>
<br>
* Adding all the SAML binding endpoints to the list of Redirect URI's. The endpoint's are present in the SAML Metadata sent to Keycloak but for some reason they are ignored. A related issue (not specific to client registration) is significant parts of the SAML metadata is ignored and discarded (among these are the endpoints)<br>
<br>
* Adding the group attribute mapper to the client. A reasonable argument could be made this is not part of initial client registration but rather a post registration configuration operation. However without group information many SAML SP's will not operate correctly because groups are typically used to make authorization access decisions. Therefore we must assure a new client will return group attribute information.</blockquote><div><br></div><div>Can you create JIRAs for these please?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5"><span style="color:rgb(34,34,34)"> </span><br></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">
<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
<br>
* The tool should be smart enough to produce a working client without<br>
manual intervention (i.e. the need to run admin cli commands afterwards<br>
to fix problems). Most admins won't know how to tweak the configuration.<br>
<br>
<br>
Can you list any you are aware of? Same comment as above applies though,<br>
it's the responsibility of the client reg services to handle this, not<br>
the CLI. Otherwise you'd have different behavior if you invoke client<br>
reg services directly rather than through the CLI.<br>
</blockquote>
<br>
<br>
<br>
<br></div></div><span class=""><font color="#888888">
-- <br>
John<br>
</font></span></blockquote></div><br></div></div>