<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div><div>Hi Pedro - Please see my comments inline.</div><div id="yui_3_16_0_1_1424351048562_2662"><br></div><div id="yui_3_16_0_1_1424351048562_2663" dir="ltr">Thanks,</div><div id="yui_3_16_0_1_1424351048562_2664" dir="ltr">Raghu<br> </div><div id="yui_3_16_0_1_1424351048562_2446" style="font-family: HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> </div><div id="yui_3_16_0_1_1424351048562_2444" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1424351048562_2631"> <font id="yui_3_16_0_1_1424351048562_2447" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Pedro Igor Silva <psilva@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> Raghu Prabhala <prabhalar@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Keycloak-user <keycloak-user@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, February 19, 2015 6:33 AM<br> <b id="yui_3_16_0_1_1424351048562_2666"><span id="yui_3_16_0_1_1424351048562_2665" style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot<br> </font> </div><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> </div><div class="y_msg_container" id="yui_3_16_0_1_1424351048562_2487" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br>----- Original Message -----<br clear="none">> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">> To: "Keycloak-user" <<a id="yui_3_16_0_1_1424351048562_2632" href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">> Sent: Thursday, February 19, 2015 12:20:00 AM<br clear="none">> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot<br clear="none">> <br clear="none">> Hi,<br clear="none">> <br clear="none">> I tested out the SAML broker functionality that is listed in the below<br clear="none">> example<br clear="none">> <a id="yui_3_16_0_1_1424351048562_2545" href="https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication" target="_blank" shape="rect">https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication</a><br clear="none">> <br clear="none">> We have a very important use case that is similar to the above except that<br clear="none">> the SAML Identity broker is ADFS and a few issues are preventing me from<br clear="none">> testing it out:<br clear="none">> <br clear="none">> 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML<br clear="none">> metadata) which is not available currently. Perhaps I can generate my own<br clear="none">> metadata using the above example but would prefer KC to provide one that is<br clear="none">> similar to IDP metadata that is listed in the documentation.<br clear="none"><br clear="none">In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications.</div><div class="y_msg_container" id="yui_3_16_0_1_1424351048562_2525" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br></div><div class="y_msg_container" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;">[RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking forward to see it near term.</div><div class="y_msg_container" id="yui_3_16_0_1_1424351048562_2561" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br clear="none">> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently<br clear="none">> being parsed by the KC SAML broker. I logged my issues in the JIRA<br clear="none">> <a id="yui_3_16_0_1_1424351048562_2534" href="https://issues.jboss.org/browse/KEYCLOAK-883" target="_blank" shape="rect">https://issues.jboss.org/browse/KEYCLOAK-883</a><br clear="none"><br clear="none">I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored.</div><div class="qtdSeparateBR"><br><br></div><div class="yqt5789462337" id="yqtfd83772" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br></div><div class="yqt5789462337" id="yui_3_16_0_1_1424351048562_2619" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" dir="ltr">[RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described under RoleDescriptor - so I will have to build something to handle that. Any advice on where I should start?<br clear="none"><br clear="none">> 3) The roles and other claims need to passed back to the client applications<br clear="none">> using OIDC (I am aware that Bill is making some functionality available over<br clear="none">> the next few days and hopefully it will address my requirement)<br clear="none">> <br clear="none">> Any suggestions on how I handle the first two?<br clear="none">> <br clear="none">> Thanks,<br clear="none">> Raghu</div><div class="y_msg_container" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br clear="none">> <br clear="none">> <br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><div class="yqt5789462337" id="yqtfd71637" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br clear="none"></div><div class="y_msg_container" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><br><br></div><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> </div> </div> </div></body></html>