Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot

From: "Raghu Prabhala" <prabhalar(a)yahoo.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: "Keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Thursday, February 19, 2015 11:25:24 AM Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot Hi Pedro - Please see my comments inline. Thanks,Raghu   From: Pedro Igor Silva <psilva(a)redhat.com&gt; To: Raghu Prabhala <prabhalar(a)yahoo.com&gt; Cc: Keycloak-user <keycloak-user(a)lists.jboss.org&gt; Sent: Thursday, February 19, 2015 6:33 AM Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot ----- Original Message ----- > From: "Raghu Prabhala" <prabhalar(a)yahoo.com&gt; > To: "Keycloak-user" <keycloak-user(a)lists.jboss.org&gt; > Sent: Thursday, February 19, 2015 12:20:00 AM > Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > Hi, > > I tested out the SAML broker functionality that is listed in the below > example > https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-bro... > > We have a very important use case that is similar to the above except that > the SAML Identity broker is ADFS and a few issues are preventing me from > testing it out: > > 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML > metadata) which is not available currently. Perhaps I can generate my own > metadata using the above example but would prefer KC to provide one that is > similar to IDP metadata that is listed in the documentation. In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications. [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking forward to see it near term. > 2) The ADFS IDP metadata has RoleDescriptor element that is not currently > being parsed by the KC SAML broker. I logged my issues in the JIRA > https://issues.jboss.org/browse/KEYCLOAK-883 I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored. [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described under RoleDescriptor  - so I will have to build something to handle that. Any advice on where I should start?

> 3) The roles and other claims need to passed back to the client > applications > using OIDC (I am aware that Bill is making some functionality available > over > the next few days and hopefully it will address my requirement) > > Any suggestions on how I handle the first two? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user