<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Shibboleth only supports transient name ids? I find that hard to
believe. Remember Keycloak would just look like any other client.
IMO you should go that route.<br>
<br>
Also though, I think you might be able to write a Broker Mapper,
take a look at UsernameTemplateMapper. This SPI is undocumented and
unsupported at the moment, but I hope to change that soon.<br>
<br>
<div class="moz-cite-prefix">On 1/14/2016 6:20 AM, Jérôme Blanchard
wrote:<br>
</div>
<blockquote
cite="mid:CAPNq5vYUHr54whQE0ivje+r-vA15Fmue0AsQcqcEso-_QSQ7dg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi all, <br>
<br>
</div>
According to shibboleth specification, IdP of a
federation usually use transient NameID which makes
Shibboleth impossible to interface with keycloak, even
if we manage the Discovery Service externally in order
to maintain IdP list mapping between federation and
keycloak.<br>
</div>
It's really annoying for me and I'm trying to
investigate a way to solve this problem.<br>
</div>
In my federation, some doc say that if you need to manage
personnal user information in your application, you have
to rely on a dedicated attribute in order to retreive real
user id and not the transient opaque one. In this case, an
attribute called eduPersoneTargetedId exists and can be
use by shibboleth. <br>
</div>
I am trying to patch the saml broker in order to take into
consideration this attribute in a kind of
attributeToNameIdMapper but I have to admit that I'm lost a
bit in the code.<br>
</div>
Do you think this approach is good ?<br>
<br>
</div>
<div>Best regards, Jérôme.<br>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le mer. 6 janv. 2016 à 09:31, Jérôme Blanchard
<<a moz-do-not-send="true" href="mailto:jayblanc@gmail.com">jayblanc@gmail.com</a>>
a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>Hi Bill, all, <br>
<br>
</div>
In the case of a transient only nameid, would it be
possible to create a dedicated attribute mapper in order
to use for exemple the email attribute as name
identifier ?<br>
<br>
</div>
PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact
use in SAML v1 for request a nameid that is transient
also... so there is no solution in this way.<br>
<br>
</div>
Best regards, Jérôme.<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le mar. 5 janv. 2016 à 16:13, Bill Burke <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>> a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">We won't
be able to support temporary ids (transient) for awhile as
it<br>
requires temporary user creation which requires some
rearchitecting.<br>
<br>
As for "urn:mace:shibboleth:1.0:nameIdentifier" if you
spec it out in a<br>
JIRA and it is simple enough to implement support for, we
may be able to<br>
get it in.<br>
<br>
On 1/5/2016 8:18 AM, Jérôme Blanchard wrote:<br>
> Hi Bill,<br>
><br>
> Thanks for your answer regarding transient and
temporary ids. I<br>
> understand the problem due to keycloak account
creation and binding to<br>
> the IdP.<br>
> Renarter is using Shibboleth ; Is there is any work
on shibboleth<br>
> integration for keycloak ?<br>
> If I look into the idps entities descriptors of
renater, I found that it<br>
> uses also another nameid format based on shibboleth
namesapce :<br>
>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat><br>
>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><br>
><br>
> Do you think it is possible to patch the saml idp
provider (or to create<br>
> another one dedicated to shibboleth) in order to
integrate keycloak to<br>
> our identity federation (renater) ?<br>
><br>
> Best whiches for this upcoming year and thanks for
your great work<br>
> around keycloak.<br>
><br>
> Jérôme.<br>
><br>
><br>
> Le mar. 22 déc. 2015 à 21:10, Bill Burke <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>
a écrit :<br>
><br>
> Our brokering doesn't support temporary user ids
from the "parent" IDP.<br>
> Transient Ids in SAML or temporary ids.<br>
><br>
> On 12/22/2015 11:46 AM, Jérôme Blanchard wrote:<br>
> > Hi,<br>
> ><br>
> > I'm trying to integrate keycloak into a the
french research<br>
> federation<br>
> > of identity (renater) and I'm facing some
problems.<br>
> > Actually, when IdP respond to keycloak i'm
getting the following<br>
> error :<br>
> > PL00084: Writer: Unsupported Attribute<br>
> >
Value:org.keycloak.dom.saml.v2.assertion.NameIDType<br>
> ><br>
> > It seems that this IdP is using transient
NameID policy only and<br>
> using<br>
> > the unspecified field in the idp config in
keycloak generate this<br>
> > exception as a return.<br>
> ><br>
> > Log of the keycloak server is joined.<br>
> ><br>
> > I have no idea of what happening because
when I was using the test<br>
> > federation, everything was working but no
I'm in the production<br>
> > federation, login fails.<br>
> ><br>
> > The renater federation is using Shibolleth
and keycloak is not<br>
> supported<br>
> > by federation moderators so I'm alone in
the dark now...<br>
> ><br>
> > Renater provides an IdP list that I have to
parse and<br>
> synchronized with<br>
> > IdP in keycloak. As a return I provide a
list of all endpoints<br>
> for each<br>
> > keycloak registered IdP to allow federation
IdP to answear<br>
> correctly to<br>
> > the right endpoint. All of this is done by
a small web app deployed<br>
> > aside keycloak and using REST API to
synchronize all the IdP.<br>
> ><br>
> > One of the IdP entity descriptor is joined.
As you can see, only<br>
> > transient nameid policy is supported and if
I configure keycloak<br>
> to use<br>
> > email or persistent, I received a response
saying that the nameid<br>
> is not<br>
> > supported :<br>
> ><br>
> > <samlp:AuthnRequest<br>
>
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> >
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> ><br>
> AssertionConsumerServiceURL="<a
moz-do-not-send="true"
href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a></a>"<br>
> > Destination="<a moz-do-not-send="true"
href="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
rel="noreferrer" target="_blank">https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO</a>"<br>
> > ForceAuthn="false"
ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> > IsPassive="false"
IssueInstant="2015-12-22T16:13:15.987Z"<br>
> >
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"<br>
> > Version="2.0"><saml:Issuer<br>
> ><br>
>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><a
moz-do-not-send="true"
href="https://demo-auth.ortolang.fr/auth/realms/ortolang"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://demo-auth.ortolang.fr/auth/realms/ortolang">https://demo-auth.ortolang.fr/auth/realms/ortolang</a></a></saml:Issuer><samlp:NameIDPolicy<br>
> > AllowCreate="true"<br>
> ><br>
>
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest><br>
> ><br>
> ><br>
> > <saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> ><br>
> Destination="<a moz-do-not-send="true"
href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>"<br>
> > ID="_9d03761957aade819b6823c35bbab278"<br>
> >
InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> > IssueInstant="2015-12-22T16:13:16.420Z"
Version="2.0"><saml2:Issuer<br>
> >
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> ><br>
>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><a
moz-do-not-send="true" href="https://janus.cnrs.fr/idp"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://janus.cnrs.fr/idp">https://janus.cnrs.fr/idp</a></a></saml2:Issuer><saml2p:Status><saml2p:StatusCode<br>
> ><br>
>
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode<br>
> ><br>
>
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required<br>
> > NameID format not<br>
> >
supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response><br>
> ><br>
> ><br>
> > Any help would be gracefully appreciated.<br>
> ><br>
> > Thanks a lot, Jérôme.<br>
> ><br>
> ><br>
> ><br>
> >
_______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
> > <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>