[keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly

Dmitry Telegin dt at acutus.pro
Wed Aug 8 12:22:33 EDT 2018 

So, is this correct that:
- your customer has the "foo" role configured in their Keycloak;
- authors of the app expect that the user have the "bar" role;
- neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire?

Off the top of my head, there can be two solutions:
1) modify SAML adapter code and implement role mapping there -
shouldn't be too tricky, but from now on you'll have to use modified
adapter and update it with every Keycloak release (or maybe commit it
to upstream, but I'm not sure it will be accepted);
2) deploy intermediary Keycloak, configure brokering between it and
customer's one and use the role mapper trick. This could be made
transparent for end-users, however will add a couple of redirects to the flow.
And of course this will mean that you'll have to maintain yet another
piece of software.

Good luck!
Dmitry

On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote:
> Hi Dmitry,
> 
> Yes. That is correct.
> 
> ---
> Linda
> 
> -----Original Message-----
> > From: Dmitry Telegin <dt at acutus.pro> Sent: Wednesday, August 08, 2018 3:56 PM
> > To: Linda Sauder <Linda.Sauder at amdocs.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
> 
> I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there.
> 
> So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app?
> 
> Dmitry
> 
> On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote:
> > Hi Dimitri,
> > 
> > Thanks your response. 
> > 
> > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server.
> > 
> > But I also thought about it. Not an option unfortunately. 
> > 
> > --
> > Cheers
> > Linda
> > 
> > -----Original Message-----
> > > > > > From: Dmitry Telegin <dt at acutus.pro> > 
> > Sent: Wednesday, August 08, 2018 3:36 PM
> > > > > > To: Linda Sauder <Linda.Sauder at amdocs.com>; keycloak-user at lists.jboss.org
> > 
> > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
> > 
> > Hello Linda,
> > 
> > Seems like you need to configure SAML Attribute to Role mapper for your IdP.
> > 
> > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper.
> > 
> > You will need to know how exactly your IdP supplies role information.
> > Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12
> > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it.
> > 
> > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote:
> > > Hello.
> > > 
> > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly.
> > > 
> > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed.
> > > 
> > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this:
> > > 
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
> > > > > > > > > > > > > >   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > > > > > > > > >   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
> > > > 
> > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;
> > > 
> > >     <display-name>Application Container</display-name>
> > > 
> > >     <welcome-file-list>
> > >         <welcome-file>ApplicationContainer.html</welcome-file>
> > >     </welcome-file-list>
> > > 
> > >                 <login-config>
> > >                                 
> > > <auth-method>KEYCLOAK-SAML</auth-method>
> > >                                 <realm-name>keycloak</realm-name>
> > >                 </login-config>
> > > 
> > >     <security-constraint>
> > >         <display-name>Application Container Constraint</display-name>
> > >         <web-resource-collection>
> > >             <web-resource-name>All Resources</web-resource-name>
> > >             <url-pattern>/*</url-pattern>
> > >             <http-method>POST</http-method>
> > >             <http-method>GET</http-method>
> > >         </web-resource-collection>
> > > 
> > >         <auth-constraint>
> > >             <role-name>hallo</role-name>
> > >         </auth-constraint>
> > >     </security-constraint>
> > > 
> > > </web-app>
> > > 
> > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP.
> > > 
> > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml.
> > > 
> > > How am I going to achieve to be able to locally handle the role mapping?
> > > 
> > > Thanks in advance.
> > > --
> > > Linda
> > > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> 
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

More information about the keycloak-user mailing list