Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly

Hi Dimitri, Thanks your response.  Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. But I also thought about it. Not an option unfortunately.  -- Cheers Linda -----Original Message----- > From: Dmitry Telegin <dt(a)acutus.pro&gt; Sent: Wednesday, August 08, 2018 3:36 PM > To: Linda Sauder <Linda.Sauder(a)amdocs.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Hello Linda, Seems like you need to configure SAML Attribute to Role mapper for your IdP. Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. You will need to know how exactly your IdP supplies role information. Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > Hello. > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > <?xml version="1.0" encoding="UTF-8"?> > > > > > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" > > > > >   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > >   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">; > >     <display-name>Application Container</display-name> > >     <welcome-file-list> >         <welcome-file>ApplicationContainer.html</welcome-file> >     </welcome-file-list> > >                 <login-config> >                                  > <auth-method>KEYCLOAK-SAML</auth-method> >                                 <realm-name>keycloak</realm-name> >                 </login-config> > >     <security-constraint> >         <display-name>Application Container Constraint</display-name> >         <web-resource-collection> >             <web-resource-name>All Resources</web-resource-name> >             <url-pattern>/*</url-pattern> >             <http-method>POST</http-method> >             <http-method>GET</http-method> >         </web-resource-collection> > >         <auth-constraint> >             <role-name>hallo</role-name> >         </auth-constraint> >     </security-constraint> > > </web-app> > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > How am I going to achieve to be able to locally handle the role mapping? > > Thanks in advance. > -- > Linda > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.