In the mean time we made some progress by creating an initial implementation of a custom
mapper for SAML roles that supports our use case.
The mapper extracts a list of role names from a configurable attribute of the SAML
response from the IDP. Roles that do not exist in the current realm are created
automatically. Then the current user is assigned exactly this list of roles.
There are some further configuration options to support a transformation of role names to
a certain degree. So it is possible for instance to specify a regular expression to select
only a subset of the roles from the SAML response, and a template can be provided for
generating role names dynamically.
Is there some interest in this mapper implementation? Do you think it could be useful in
Von: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> Im
Auftrag von Heger Oliver (INST-IOT/ESB)
Gesendet: Freitag, 7. Juni 2019 13:35
Betreff: [keycloak-dev] Dynamic SAML roles to user mapper
For an external customer we need to bring together the SAML IDP of the customer as leading
system for user data with our services that are only supporting OIDC.
We think Keycloak could fit very well as some kind of mediator between the customer's
IDP and our OIDC-based services.
The services expect JWTs containing basic user data and also a list with all the roles the
user has. With the mappers available in Keycloak a JWT can be constructed that contains
the desired information. But now it can happen that the roles model is extended in
agreement between the IDP and the client services. As we understand it, in order to
support the newly added roles, they would have to be added manually into Keycloak before
they can be referenced by the existing SAML Attribute to Role mapper.
This manual step we would like to avoid. In our ideal scenario, Keycloak would just be an
infrastructure component handling the SAML to OIDC conversion. With respect to the roles
assigned to users, it should be agnostic and simply copy the information it receives from
the SAML IDP verbatim.
To achieve this we think about implementing a custom mapper that allows dealing with roles
in this way. It would read the roles from a configurable attribute of the SAML response
and assign them to the user affected in the Keycloak data model. If a role was encountered
that did not exist yet, it would be newly created. That way the roles model used by
Keycloak would adapt itself dynamically to the model used by the parties involved, and no
manual updates would be required.
Do you think there is an easier solution for this problem than writing a custom mapper?
If the answer is no, would you be interested in such a mapper implementation?
We would be happy to contribute it. In our opinion this feature would strengthen the
brokering facilities of Keycloak.
Thank you and kind regards
Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY |
Tel. +49 711 811-58473 | Fax +49 711 811-58200 |
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic
keycloak-dev mailing list