8:35 a.m.
Hello Linda,
Seems like you need to configure SAML Attribute to Role mapper for your IdP.
Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper.
You will need to know how exactly your IdP supplies role information.
Normally, there should be an attribute inside SAML assertion that comes
with SAML response; the fastest way is to inspect SAML payload via F12
-> Network in your browser. Use https://www.samltool.com to decode and pretty-print
it.
Once you have the name of the attribute that contains IdP roles, you can complete the
configuration of the mapper.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote:
Hello.
I am facing some issues. I want to secure some simple web application with Keycloak/SAML
and Wildfly.
My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with
the Keycloak and SAML adapter installed.
In my test .war file exists a simple .html file which just says "Hello World".
Also in the WEB-INF folder I have the web.xml which is configured like this:
<?xml version="1.0" encoding="UTF-8"?>
> <web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Application Container</display-name>
<welcome-file-list>
<welcome-file>ApplicationContainer.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>keycloak</realm-name>
</login-config>
<security-constraint>
<display-name>Application Container Constraint</display-name>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>hallo</role-name>
</auth-constraint>
</security-constraint>
</web-app>
My issue now is that this is working as long as I am sending the requested role from the
IDP. But for the actual application I need to map the roles I am receiving to some local
roles. I am not getting them directly from the IDP.
Which brings me to the part where I thought I could use some login-module configuration
from the standalone-configuration. I tried to configured this one in a file named
jboss-web.xml.
How am I going to achieve to be able to locally handle the role mapping?
Thanks in advance.
--
Linda
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user