[keycloak-user] SAML Broker in Keycloak 1.2 Snapshot

Pedro Igor Silva psilva at redhat.com
Thu Feb 19 06:33:29 EST 2015


----- Original Message -----
> From: "Raghu Prabhala" <prabhalar at yahoo.com>
> To: "Keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, February 19, 2015 12:20:00 AM
> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
> 
> Hi,
> 
> I tested out the SAML broker functionality that is listed in the below
> example
> https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication
> 
> We have a very important use case that is similar to the above except that
> the SAML Identity broker is ADFS and a few issues are preventing me from
> testing it out:
> 
> 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML
> metadata) which is not available currently. Perhaps I can generate my own
> metadata using the above example but would prefer KC to provide one that is
> similar to IDP metadata that is listed in the documentation.

In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications.

> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
> being parsed by the KC SAML broker. I logged my issues in the JIRA
> https://issues.jboss.org/browse/KEYCLOAK-883

I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored.

> 3) The roles and other claims need to passed back to the client applications
> using OIDC (I am aware that Bill is making some functionality available over
> the next few days and hopefully it will address my requirement)
> 
> Any suggestions on how I handle the first two?
> 
> Thanks,
> Raghu
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list