Hi.
I am still trying to figure this out.
Can anybody give me a hint?
--
Thanks
Linda
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Linda Sauder
Sent: Friday, August 10, 2018 9:35 AM
To: Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web
application with Keycloak/SAML/Wildfly
Hi.
Another question concerning this topic. I tried the approach that was mentioned in your
link. Unfortunately, I am facing issues with the auth-method.
As far as I know I need to set it to "KEYCLOAK-SAML" to able to use the keycloak
plugins for Wildfly. But in combination with the filter I am never hitting my filter code.
It always gets directed to the org.keycloak.adapters.saml.undertow.ServletSamlSessionStore
which handles the roles itself.
Any suggestions on how to handle this?
--
Linda
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Linda Sauder
Sent: Thursday, August 09, 2018 9:09 AM
To: Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web
application with Keycloak/SAML/Wildfly
That sounds promising.
I will give it a try.
Thank you.
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Wednesday, August 08, 2018 11:53 PM
To: Linda Sauder <Linda.Sauder(a)amdocs.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web
application with Keycloak/SAML/Wildfly
Oh, I think I've mislead you. No, I mean all of the above should work, but there's
much simpler variant - you can write a servlet filter to manipulate security context,
including roles. See this thread (from 2010, but still topical):
https://coderanch.com/t/466744/java/Set-user-principal-filter
In this example the author manipulates user principal, you'll need to do the same with
roles.
Good luck!
Dmitry
On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote:
So, is this correct that:
- your customer has the "foo" role configured in their Keycloak;
- authors of the app expect that the user have the "bar" role;
- neither your customer wants to create "bar" in Keycloak, nor programmers want
to change their code to use "foo", and you're caught in the crossfire?
Off the top of my head, there can be two solutions:
1) modify SAML adapter code and implement role mapping there -
shouldn't be too tricky, but from now on you'll have to use modified
adapter and update it with every Keycloak release (or maybe commit it
to upstream, but I'm not sure it will be accepted);
2) deploy intermediary Keycloak, configure brokering between it and
customer's one and use the role mapper trick. This could be made
transparent for end-users, however will add a couple of redirects to the flow.
And of course this will mean that you'll have to maintain yet another
piece of software.
Good luck!
Dmitry
On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote:
> Hi Dmitry,
>
> Yes. That is correct.
>
> ---
> Linda
>
> -----Original Message-----
> > From: Dmitry Telegin <dt(a)acutus.pro>
>
> Sent: Wednesday, August 08, 2018 3:56 PM
> > To: Linda Sauder <Linda.Sauder(a)amdocs.com>;
> > keycloak-user(a)lists.jboss.org
>
> Subject: Re: [keycloak-user] How to handle roles from IDP manually
> when securing a web application with Keycloak/SAML/Wildfly
>
> I see, probably I misunderstood. I thought you were in control of your Keycloak
instance, and had external IdP configured there.
>
> So is correct that your customer runs Keycloak (that you have no control of), and
you use it to secure your Wildfly app?
>
> Dmitry
>
> On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote:
> > Hi Dimitri,
> >
> > Thanks your response.
> >
> > Unfortunately, I am not able to configure the IDP when using the app for the
customer because the customer is providing the IDP. Which means I can only handle the
roles provided in the app itself and not in the server.
> >
> > But I also thought about it. Not an option unfortunately.
> >
> > --
> > Cheers
> > Linda
> >
> > -----Original Message-----
> > > > > > From: Dmitry Telegin <dt(a)acutus.pro>
> >
> > Sent: Wednesday, August 08, 2018 3:36 PM
> > > > > > To: Linda Sauder <Linda.Sauder(a)amdocs.com>;
> > > > > > keycloak-user(a)lists.jboss.org
> >
> > Subject: Re: [keycloak-user] How to handle roles from IDP manually
> > when securing a web application with Keycloak/SAML/Wildfly
> >
> > Hello Linda,
> >
> > Seems like you need to configure SAML Attribute to Role mapper for your IdP.
> >
> > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper.
> >
> > You will need to know how exactly your IdP supplies role information.
> > Normally, there should be an attribute inside SAML assertion that
> > comes with SAML response; the fastest way is to inspect SAML
> > payload via F12
> > > > > > -> Network in your browser. Use
https://www.samltool.com
to decode and pretty-print it.
> >
> > Once you have the name of the attribute that contains IdP roles, you can
complete the configuration of the mapper.
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote:
> > > Hello.
> > >
> > > I am facing some issues. I want to secure some simple web application with
Keycloak/SAML and Wildfly.
> > >
> > > My set-up is a configured Keycloak Server and a local Wildfly server
(10.1.0 Final) with the Keycloak and SAML adapter installed.
> > >
> > > In my test .war file exists a simple .html file which just says
"Hello World". Also in the WEB-INF folder I have the web.xml which is configured
like this:
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > <web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
> > > > > > > > > > > > > >
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
xsi:schemaLocation="http://java.sun.com/xm
> > > > > > > > > > > > > > l/ns/javaee
> > > >
> > > >
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;;
> > >
> > > <display-name>Application Container</display-name>
> > >
> > > <welcome-file-list>
> > >
<welcome-file>ApplicationContainer.html</welcome-file>
> > > </welcome-file-list>
> > >
> > > <login-config>
> > >
> > > <auth-method>KEYCLOAK-SAML</auth-method>
> > >
> > > <realm-name>keycloak</realm-name>
> > > </login-config>
> > >
> > > <security-constraint>
> > > <display-name>Application Container
> > > Constraint</display-name>
> > > <web-resource-collection>
> > > <web-resource-name>All
Resources</web-resource-name>
> > > <url-pattern>/*</url-pattern>
> > > <http-method>POST</http-method>
> > > <http-method>GET</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <role-name>hallo</role-name>
> > > </auth-constraint>
> > > </security-constraint>
> > >
> > > </web-app>
> > >
> > > My issue now is that this is working as long as I am sending the requested
role from the IDP. But for the actual application I need to map the roles I am receiving
to some local roles. I am not getting them directly from the IDP.
> > >
> > > Which brings me to the part where I thought I could use some login-module
configuration from the standalone-configuration. I tried to configured this one in a file
named jboss-web.xml.
> > >
> > > How am I going to achieve to be able to locally handle the role mapping?
> > >
> > > Thanks in advance.
> > > --
> > > Linda
> > > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based
system. Any emails sent to Amdocs will be processed and stored using such system and are
accessible by third party providers of such system on a limited basis. Your sending of
emails to Amdocs evidences your consent to the use of such system and such processing,
storing and access”.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based
system. Any emails sent to Amdocs will be processed and stored using such system and are
accessible by third party providers of such system on a limited basis. Your sending of
emails to Amdocs evidences your consent to the use of such system and such processing,
storing and access”.
>
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system.
Any emails sent to Amdocs will be processed and stored using such system and are
accessible by third party providers of such system on a limited basis. Your sending of
emails to Amdocs evidences your consent to the use of such system and such processing,
storing and access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user “Amdocs’ email platform is
based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be
processed and stored using such system and are accessible by third party providers of such
system on a limited basis. Your sending of emails to Amdocs evidences your consent to the
use of such system and such processing, storing and access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.