[keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ?

ROMELOT Didier didier.romelot at renault.com
Wed May 20 10:24:03 EDT 2015 

I tried a configuration with saml sales-post sample application configured with a role list mapper on keycloak and a saml identity Provider configured on the keycloak realm.

The SAML response that is sent back to SP after authentication is the same in both case:
- when authenticating directly on keycloak
- when authenticating on the saml identity provider

In other words, role list that is sent back by saml identity provider is replaced by a new one provided by keycloak.

What's wrong ?


-----Message d'origine-----
De : Stian Thorgersen [mailto:stian at redhat.com] 
Envoyé : mercredi 20 mai 2015 08:24
À : ROMELOT Didier
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ?

Not much docs, see http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1908

It's all configurable through the admin console and should hopefully be self explanatory.


----- Original Message -----
> From: "ROMELOT Didier" <didier.romelot at renault.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 20 May, 2015 8:13:39 AM
> Subject: RE: [keycloak-user] mapping roles received from remote IDP 
> token to keycloak roles during Identity brokering ?
> 
> Thanks for the answers; is there any documentation or sample that show 
> how to implement that ?
> 
> regards
> 
> 
> -----Message d'origine-----
> De : Stian Thorgersen [mailto:stian at redhat.com] Envoyé : mercredi 20 
> mai 2015 06:45 À : ROMELOT Didier Cc : keycloak-user at lists.jboss.org 
> Objet : Re: [keycloak-user] mapping roles received from remote IDP 
> token to keycloak roles during Identity brokering ?
> 
> 
> 
> ----- Original Message -----
> > From: "ROMELOT Didier" <didier.romelot at renault.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 19 May, 2015 5:16:49 PM
> > Subject: [keycloak-user] mapping roles received from remote IDP 
> > token to keycloak roles during Identity brokering ?
> > 
> > 
> > 
> > Hi, we try to implement the following use case using keycloak 
> > identity brokering functionnality :
> > 
> > 
> > 
> > - User request a resource to Service Provider, then select a remote 
> > IDP (SAML IDP in our case based on PicketLink…) and authenticates on 
> > this remote IDP
> > 
> > - Keycloak computes local Authentication / Identity Federation based 
> > on Authentication Response from remote IDP
> > 
> > - During local authentication, Keycloak maps roles contained in the 
> > Authentication response from remote IDP to roles defined in keycloak.
> > 
> > 
> > 
> > Does Keycloak support such scenario through mappers ?
> 
> Yes
> 
> > 
> > 
> > 
> > regards
> > 
> > 
> > -- Disclaimer ------------------------------------
> > Ce message ainsi que les eventuelles pieces jointes constituent une 
> > correspondance privee et confidentielle a l'attention exclusive du 
> > destinataire designe ci-dessus. Si vous n'etes pas le destinataire 
> > du present message ou une personne susceptible de pouvoir le lui 
> > delivrer, il vous est signifie que toute divulgation, distribution 
> > ou copie de cette transmission est strictement interdite. Si vous 
> > avez recu ce message par erreur, nous vous remercions d'en informer 
> > l'expediteur par telephone ou de lui retourner le present message, 
> > puis d'effacer immediatement ce message de votre systeme.
> > 
> > *** This e-mail and any attachments is a confidential correspondence 
> > intended only for use of the individual or entity named above. If 
> > you are not the intended recipient or the agent responsible for 
> > delivering the message to the intended recipient, you are hereby 
> > notified that any disclosure, distribution or copying of this 
> > communication is strictly prohibited. If you have received this 
> > communication in error, please notify the sender by phone or by 
> > replying this message, and then delete this message from your system.
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> -- Disclaimer ------------------------------------
> Ce message ainsi que les eventuelles pieces jointes constituent une 
> correspondance privee et confidentielle a l'attention exclusive du 
> destinataire designe ci-dessus. Si vous n'etes pas le destinataire du 
> present message ou une personne susceptible de pouvoir le lui 
> delivrer, il vous est signifie que toute divulgation, distribution ou 
> copie de cette transmission est strictement interdite. Si vous avez 
> recu ce message par erreur, nous vous remercions d'en informer 
> l'expediteur par telephone ou de lui retourner le present message, 
> puis d'effacer immediatement ce message de votre systeme.
> 
> *** This e-mail and any attachments is a confidential correspondence 
> intended only for use of the individual or entity named above. If you 
> are not the intended recipient or the agent responsible for delivering 
> the message to the intended recipient, you are hereby notified that 
> any disclosure, distribution or copying of this communication is 
> strictly prohibited. If you have received this communication in error, 
> please notify the sender by phone or by replying this message, and then delete this message from your system.
>
-- Disclaimer ------------------------------------ 
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.

*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.

More information about the keycloak-user mailing list