<div dir="ltr"><div><div><div><div><div>Hi Bill, <br><br></div><div>Thanks for your answer regarding transient and temporary ids. I understand the problem due to keycloak account creation and binding to the IdP.<br></div>Renarter is using Shibboleth ; Is there is any work on shibboleth integration for keycloak ?<br></div>If I look into the idps entities descriptors of renater, I found that it uses also another nameid format based on shibboleth namesapce :<br><md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<br><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<br></div>Do you think it is possible to patch the saml idp provider (or to create another one dedicated to shibboleth) in order to integrate keycloak to our identity federation (renater) ?<br><br></div>Best whiches for this upcoming year and thanks for your great work around keycloak.<br><br></div>Jérôme.<br><div><div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Le mar. 22 déc. 2015 à 21:10, Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Our brokering doesn't support temporary user ids from the "parent" IDP.<br>
Transient Ids in SAML or temporary ids.<br>
<br>
On 12/22/2015 11:46 AM, Jérôme Blanchard wrote:<br>
> Hi,<br>
><br>
> I'm trying to integrate keycloak into a the french research federation<br>
> of identity (renater) and I'm facing some problems.<br>
> Actually, when IdP respond to keycloak i'm getting the following error :<br>
> PL00084: Writer: Unsupported Attribute<br>
> Value:org.keycloak.dom.saml.v2.assertion.NameIDType<br>
><br>
> It seems that this IdP is using transient NameID policy only and using<br>
> the unspecified field in the idp config in keycloak generate this<br>
> exception as a return.<br>
><br>
> Log of the keycloak server is joined.<br>
><br>
> I have no idea of what happening because when I was using the test<br>
> federation, everything was working but no I'm in the production<br>
> federation, login fails.<br>
><br>
> The renater federation is using Shibolleth and keycloak is not supported<br>
> by federation moderators so I'm alone in the dark now...<br>
><br>
> Renater provides an IdP list that I have to parse and synchronized with<br>
> IdP in keycloak. As a return I provide a list of all endpoints for each<br>
> keycloak registered IdP to allow federation IdP to answear correctly to<br>
> the right endpoint. All of this is done by a small web app deployed<br>
> aside keycloak and using REST API to synchronize all the IdP.<br>
><br>
> One of the IdP entity descriptor is joined. As you can see, only<br>
> transient nameid policy is supported and if I configure keycloak to use<br>
> email or persistent, I received a response saying that the nameid is not<br>
> supported :<br>
><br>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> AssertionConsumerServiceURL="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>"<br>
> Destination="<a href="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" rel="noreferrer" target="_blank">https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO</a>"<br>
> ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"<br>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"<br>
> Version="2.0"><saml:Issuer<br>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><a href="https://demo-auth.ortolang.fr/auth/realms/ortolang" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang</a></saml:Issuer><samlp:NameIDPolicy<br>
> AllowCreate="true"<br>
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest><br>
><br>
><br>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> Destination="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>"<br>
> ID="_9d03761957aade819b6823c35bbab278"<br>
> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer<br>
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><a href="https://janus.cnrs.fr/idp" rel="noreferrer" target="_blank">https://janus.cnrs.fr/idp</a></saml2:Issuer><saml2p:Status><saml2p:StatusCode<br>
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode<br>
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required<br>
> NameID format not<br>
> supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response><br>
><br>
><br>
> Any help would be gracefully appreciated.<br>
><br>
> Thanks a lot, Jérôme.<br>
><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div>