[keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
Linda Sauder
Linda.Sauder at amdocs.com
Fri Aug 10 03:34:48 EDT 2018
Hi.
Another question concerning this topic. I tried the approach that was mentioned in your link. Unfortunately, I am facing issues with the auth-method.
As far as I know I need to set it to "KEYCLOAK-SAML" to able to use the keycloak plugins for Wildfly. But in combination with the filter I am never hitting my filter code.
It always gets directed to the org.keycloak.adapters.saml.undertow.ServletSamlSessionStore which handles the roles itself.
Any suggestions on how to handle this?
--
Linda
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Linda Sauder
Sent: Thursday, August 09, 2018 9:09 AM
To: Dmitry Telegin <dt at acutus.pro>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
That sounds promising.
I will give it a try.
Thank you.
-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro>
Sent: Wednesday, August 08, 2018 11:53 PM
To: Linda Sauder <Linda.Sauder at amdocs.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
Oh, I think I've mislead you. No, I mean all of the above should work, but there's much simpler variant - you can write a servlet filter to manipulate security context, including roles. See this thread (from 2010, but still topical):
https://coderanch.com/t/466744/java/Set-user-principal-filter
In this example the author manipulates user principal, you'll need to do the same with roles.
Good luck!
Dmitry
On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote:
> So, is this correct that:
> - your customer has the "foo" role configured in their Keycloak;
> - authors of the app expect that the user have the "bar" role;
> - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire?
>
> Off the top of my head, there can be two solutions:
> 1) modify SAML adapter code and implement role mapping there -
> shouldn't be too tricky, but from now on you'll have to use modified
> adapter and update it with every Keycloak release (or maybe commit it
> to upstream, but I'm not sure it will be accepted);
> 2) deploy intermediary Keycloak, configure brokering between it and
> customer's one and use the role mapper trick. This could be made
> transparent for end-users, however will add a couple of redirects to the flow.
> And of course this will mean that you'll have to maintain yet another
> piece of software.
>
> Good luck!
> Dmitry
>
> On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote:
> > Hi Dmitry,
> >
> > Yes. That is correct.
> >
> > ---
> > Linda
> >
> > -----Original Message-----
> > > From: Dmitry Telegin <dt at acutus.pro>
> >
> > Sent: Wednesday, August 08, 2018 3:56 PM
> > > To: Linda Sauder <Linda.Sauder at amdocs.com>;
> > > keycloak-user at lists.jboss.org
> >
> > Subject: Re: [keycloak-user] How to handle roles from IDP manually
> > when securing a web application with Keycloak/SAML/Wildfly
> >
> > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there.
> >
> > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app?
> >
> > Dmitry
> >
> > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote:
> > > Hi Dimitri,
> > >
> > > Thanks your response.
> > >
> > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server.
> > >
> > > But I also thought about it. Not an option unfortunately.
> > >
> > > --
> > > Cheers
> > > Linda
> > >
> > > -----Original Message-----
> > > > > > > From: Dmitry Telegin <dt at acutus.pro>
> > >
> > > Sent: Wednesday, August 08, 2018 3:36 PM
> > > > > > > To: Linda Sauder <Linda.Sauder at amdocs.com>;
> > > > > > > keycloak-user at lists.jboss.org
> > >
> > > Subject: Re: [keycloak-user] How to handle roles from IDP manually
> > > when securing a web application with Keycloak/SAML/Wildfly
> > >
> > > Hello Linda,
> > >
> > > Seems like you need to configure SAML Attribute to Role mapper for your IdP.
> > >
> > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper.
> > >
> > > You will need to know how exactly your IdP supplies role information.
> > > Normally, there should be an attribute inside SAML assertion that
> > > comes with SAML response; the fastest way is to inspect SAML
> > > payload via F12
> > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it.
> > >
> > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote:
> > > > Hello.
> > > >
> > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly.
> > > >
> > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed.
> > > >
> > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this:
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
> > > > > > > > > > > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > xsi:schemaLocation="http://java.sun.com/xm
> > > > > > > > > > > > > > > l/ns/javaee
> > > > >
> > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;;
> > > >
> > > > <display-name>Application Container</display-name>
> > > >
> > > > <welcome-file-list>
> > > > <welcome-file>ApplicationContainer.html</welcome-file>
> > > > </welcome-file-list>
> > > >
> > > > <login-config>
> > > >
> > > > <auth-method>KEYCLOAK-SAML</auth-method>
> > > >
> > > > <realm-name>keycloak</realm-name>
> > > > </login-config>
> > > >
> > > > <security-constraint>
> > > > <display-name>Application Container
> > > > Constraint</display-name>
> > > > <web-resource-collection>
> > > > <web-resource-name>All Resources</web-resource-name>
> > > > <url-pattern>/*</url-pattern>
> > > > <http-method>POST</http-method>
> > > > <http-method>GET</http-method>
> > > > </web-resource-collection>
> > > >
> > > > <auth-constraint>
> > > > <role-name>hallo</role-name>
> > > > </auth-constraint>
> > > > </security-constraint>
> > > >
> > > > </web-app>
> > > >
> > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP.
> > > >
> > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml.
> > > >
> > > > How am I going to achieve to be able to locally handle the role mapping?
> > > >
> > > > Thanks in advance.
> > > > --
> > > > Linda
> > > > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> >
> > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
More information about the keycloak-user
mailing list