[keycloak-user] IDP Broker (SAML) - add LDAP attributes from ReadOnly LDAP.

Tue Jun 20 08:13:45 EDT 2017

Hello,

I am trying to configure RH SSO 7.0 (available as container in Openshift
V3.2), to obtain attributes and roles from a read-only LDAP.
User are authenticated using SAML, but applications do need additional
attributes.
The LDAP server has those attributes but do not provide user
authentication, which is provided by Kerberos or SAML.

Kerberos + LDAP is not really an option as it authenticate only a part of
the users of the organization while SAML + LDAP could works for all.

I found a couple of related issues:
https://issues.jboss.org/browse/KEYCLOAK-4171

But solutions proposed does not work for me.... May be because my LDAP does
not allows authentication?

I get this error:
09:13:07,510 WARN  [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata, userId=null,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...

Or this one (if in first login I allows user re-authentication) but then I
am prompted for a password which fail authenticating as the LDAP does not
know my password.
09:13:07,510 WARN  [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata,
userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...

Is there a solution out of the box for my use case? Adding additional
information about users from an ldap connection, read-only and without
re-authentication?

Regards,

Marc