[keycloak-user] Mapping saml attributes to roles in keycloak

Marek Posolda mposolda at redhat.com
Thu Sep 29 02:34:17 EDT 2016


If you look at the tab "Mappers" when you are in identityProvider in 
admin console, you can see we have some builtin implementations of 
IdentityProviderMapper, which allows you to map the stuff from IDP into 
Keycloak. If none of the builtin is sufficient for you, you can try to 
create JIRA or implement your own mapper.

Marek

On 27/09/16 12:16, Manuel Palacio wrote:
>
> Hello,
>
> I have a Java application that talks openid-connect with Keycloak and 
> then Keycloak uses the SAML 2.0 Identity provider to redirect to a 
> 3^rd party SAML idp, acting as an identity broker.
>
> So far so good, I can login into my application with a user existing 
> in the 3^rd party idp. Great! but where I am bit stuck is when I try 
> to map attributes in the SAML response from the idp.
>
> Basically, I would like Keycloak to populate the roles in the access 
> token that my application gets in the web request with the information 
> coming in the SAML attribute. In other words, I want the 3^rd party 
> SAML idp to decide what role/s should be assigned to the user.
>
> Is my assumption correct that all I need is the attribute importer 
> mapper in the SAML provider to do this? So far I could not get it to 
> work L  What is the appropriate way to do this?
>
> Thank you!
>
> Manuel Palacio
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/3d7d5465/attachment.html 


More information about the keycloak-user mailing list