Hi,
I just wanted to see if anyone had any other ideas about this. Thanks! :)
--
Aaron Echols
On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
Hello All,
I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
Keycloak be setup for idP initiated SSO, which I've configured. I have
everything working great, but I'm running into an issue where Keycloak will
not passthrough a SAML attribute using mappers.
Per the docs here:
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboa...
I need to pass a role attribute through that matches what I've setup as
the SAML Administrator Roles in Meraki. I've done that and have a role
setup as IT, Management, etc.
In Active Directory the 'department' attribute is set to the role that is
needed. I've created the federated mapper 'dept' that is mapped to
'department' in AD. Users in Keycloak have that attribute populated
successfully with the correct data.
In the client for Meraki, I've created a mapper name '
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
'user property' with a property of 'dept' and a general friendly name
and
then set the 'SAML Attribute Name' to role.
Looking at the SAML login, this never is passed through at all. The only
way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
Attribute' with a 'Attribute Value' of 'IT' with a mapper name of
'
https://dashboard.meraki.com/saml/attributes/role';, it will then login
successfully to Meraki. There are other groups that will be logging into
Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
transaction when hardcoding the attribute:
<saml:Attribute
FriendlyName="Department"
Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">IT
</saml:AttributeValue>
I've never had this issue of passing other attributes through before, can
anyone let me know if I'm going about this wrong and if so, what am I
missing? Thanks :)
--
Aaron Echols