8:23 a.m.
testuser has some roles in host B (testrole in this example), I want to put
the roles as a claim in the token so when host A receives the token it maps
the claim to roles in host A
I already did the second part (mapping in host A), but I still can't find
out how to put the roles in a claim.
On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> I'm trying to test the Identity broker to achieve cross domain sso, this
> is what I have done:
>
> 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A
> 2 - Installed jboss 6.4 eap + keycloak in host B
> 3 - In host A, I added an oidc Identity Provider (importing host B
> openid connect configuration).
> 4 - In host A, I created an application (appa.war) that will try to use
> the broker to authenticate. I added security to the app (only user with
> role "user" will be able to access some parts)
> 5 - In host B, I added 2 oidc clients (the broker from host A and appb,
> appb (appb.war) is a simple application developed to log in using oidc)
> 6 - In host B, I created a role "testrole" inside appb and a user
> "testuser", then I added that role to the user.
>
> I couldn't find out how to map the role "testrole" to a claim that
will
> be sent to the broker once the user has authenticated. Is there a way to
> do that?
>
> After I accomplish that I plan to map that claim to the role appa.user.
>
OIDC and SAML Identity Providers have mappers. Host A broker will
receive the token from Host B. You can map the testrole to whatever
claim you want.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:26 a.m.
New subject: Role to claim mapping
I am confused on what you want to do. Please talk in terms of Keycloak
A, Keycloak B, App C, App D.
On 9/30/2015 9:23 AM, Gonzalo López wrote:
testuser has some roles in host B (testrole in this example), I want
to
put the roles as a claim in the token so when host A receives the token
it maps the claim to roles in host A
I already did the second part (mapping in host A), but I still can't
find out how to put the roles in a claim.
On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> I'm trying to test the Identity broker to achieve cross domain
sso, this
> is what I have done:
>
> 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in
host A
> 2 - Installed jboss 6.4 eap + keycloak in host B
> 3 - In host A, I added an oidc Identity Provider (importing host B
> openid connect configuration).
> 4 - In host A, I created an application (appa.war) that will try
to use
> the broker to authenticate. I added security to the app (only
user with
> role "user" will be able to access some parts)
> 5 - In host B, I added 2 oidc clients (the broker from host A and
appb,
> appb (appb.war) is a simple application developed to log in using
oidc)
> 6 - In host B, I created a role "testrole" inside appb and a user
> "testuser", then I added that role to the user.
>
> I couldn't find out how to map the role "testrole" to a claim
that will
> be sent to the broker once the user has authenticated. Is there a
way to
> do that?
>
> After I accomplish that I plan to map that claim to the role
appa.user.
>
OIDC and SAML Identity Providers have mappers. Host A broker will
receive the token from Host B. You can map the testrole to whatever
claim you want.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:33 a.m.
New subject: Role to claim mapping
Keycloak A is the idp using oidc
"testuser" and "testrole" are defined in Keycloak A.
Keycloak B is the broker, it has Keycloak A as identity provider
App B authenticates using the broker, choosing Keycloak A as the provider
I want Keycloak B to receive (from Keycloak A) a calaim saying something
like "roles": "testuser"
2015-09-30 11:26 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
I am confused on what you want to do. Please talk in terms of
Keycloak
A, Keycloak B, App C, App D.
On 9/30/2015 9:23 AM, Gonzalo López wrote:
> testuser has some roles in host B (testrole in this example), I want to
> put the roles as a claim in the token so when host A receives the token
> it maps the claim to roles in host A
>
> I already did the second part (mapping in host A), but I still can't
> find out how to put the roles in a claim.
>
>
>
>
>
>
> On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> > I'm trying to test the Identity broker to achieve cross domain
> sso, this
> > is what I have done:
> >
> > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in
> host A
> > 2 - Installed jboss 6.4 eap + keycloak in host B
> > 3 - In host A, I added an oidc Identity Provider (importing host B
> > openid connect configuration).
> > 4 - In host A, I created an application (appa.war) that will try
> to use
> > the broker to authenticate. I added security to the app (only
> user with
> > role "user" will be able to access some parts)
> > 5 - In host B, I added 2 oidc clients (the broker from host A and
> appb,
> > appb (appb.war) is a simple application developed to log in using
> oidc)
> > 6 - In host B, I created a role "testrole" inside appb and a
user
> > "testuser", then I added that role to the user.
> >
> > I couldn't find out how to map the role "testrole" to a
claim
> that will
> > be sent to the broker once the user has authenticated. Is there a
> way to
> > do that?
> >
> > After I accomplish that I plan to map that claim to the role
> appa.user.
> >
>
> OIDC and SAML Identity Providers have mappers. Host A broker will
> receive the token from Host B. You can map the testrole to whatever
> claim you want.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:45 a.m.
New subject: Role to claim mapping
On 9/30/2015 11:33 AM, Gonzalo López wrote:
Keycloak A is the idp using oidc
"testuser" and "testrole" are defined in Keycloak A.
The client that is registered on Keycloak A for Keycloak B must have the
appropriate scope settings so that the Access token it gets contains the
"testrole" for "testuser".
Then, you can create a Identity Provider mapper in Keycloak B for the
external Keycloak A provider that maps "testrole" to a role in Keycloak
B. Or, you can use the Attribute Importer. You can reference the
testrole via "realm_access.roles.testrole" or
"resource_access.<app>.roles.testrole".
Then, finally, you have to make sure your apps registered on Keycloak B
have the appropriate mappers to pull in the testrole attribute/role into
their specific claim.
Keycloak B is the broker, it has Keycloak A as identity provider
App B authenticates using the broker, choosing Keycloak A as the provider
I want Keycloak B to receive (from Keycloak A) a calaim saying something
like "roles": "testuser"
2015-09-30 11:26 GMT-03:00 Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>>:
I am confused on what you want to do. Please talk in terms of Keycloak
A, Keycloak B, App C, App D.
On 9/30/2015 9:23 AM, Gonzalo López wrote:
> testuser has some roles in host B (testrole in this example), I
want to
> put the roles as a claim in the token so when host A receives the
token
> it maps the claim to roles in host A
>
> I already did the second part (mapping in host A), but I still can't
> find out how to put the roles in a claim.
>
>
>
>
>
>
> On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> > I'm trying to test the Identity broker to achieve cross domain
> sso, this
> > is what I have done:
> >
> > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6
adapter in
> host A
> > 2 - Installed jboss 6.4 eap + keycloak in host B
> > 3 - In host A, I added an oidc Identity Provider
(importing host B
> > openid connect configuration).
> > 4 - In host A, I created an application (appa.war) that
will try
> to use
> > the broker to authenticate. I added security to the app (only
> user with
> > role "user" will be able to access some parts)
> > 5 - In host B, I added 2 oidc clients (the broker from
host A and
> appb,
> > appb (appb.war) is a simple application developed to log
in using
> oidc)
> > 6 - In host B, I created a role "testrole" inside appb and
a user
> > "testuser", then I added that role to the user.
> >
> > I couldn't find out how to map the role "testrole" to a
claim
> that will
> > be sent to the broker once the user has authenticated. Is
there a
> way to
> > do that?
> >
> > After I accomplish that I plan to map that claim to the role
> appa.user.
> >
>
> OIDC and SAML Identity Providers have mappers. Host A broker
will
> receive the token from Host B. You can map the testrole to
whatever
> claim you want.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:48 a.m.
New subject: Role to claim mapping
On 9/30/2015 11:45 AM, Bill Burke wrote:
Or, you can use the Attribute Importer. You can reference the
testrole via "realm_access.roles.testrole" or
"resource_access.<app>.roles.testrole".
Actually, this won't work. You have to map testrole to a role in
Keycloak B.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:54 p.m.
New subject: Role to claim mapping
I finally made it work.
The problem I was having was that the provider was not taking the
information from the access token because the provider I created in
Keycloak B was not a "Keycloak OpenID Connect" provider, was just OpenID
Connect, so It didnt try to get the info from the access token cause it
does't have to be a jwt token.
Thank you
2015-09-30 12:48 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
On 9/30/2015 11:45 AM, Bill Burke wrote:
> Or, you can use the Attribute Importer. You can reference the
> testrole via "realm_access.roles.testrole" or
> "resource_access.<app>.roles.testrole".
>
Actually, this won't work. You have to map testrole to a role in
Keycloak B.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3385
days inactive
3392
days old
5 comments
2 participants
participants (2)
-
Bill Burke -
Gonzalo López