7 a.m.
Hello đ
I am writing the first time to this list so I hope I am doing everything correctly.
But hereâs what I need help with:
Fits of all, we are using Keycloak version 5.0.0. in our company.
I am trying a little bit around with the âAttribute Importerâ in Keycloak, because I want
to receive all SAML Attributes that get delivered via the Identity Providers SAML
response, listed in one and the same attribute. And that works actually after I
configured the Mapper Type âAttribute Importerâ. I can see in Keycloak in my user account
> Attributes that all of the Attributes are imported (such as groups, name, first name,
mail address) and the will be listed in one grouped attribute (not sure if there is
another official name for it)
The way I configured the mapper is:
* Name: saml_attributes
* Mapper Typ: Attribute Importer
* Attribute Name: empty
* Friendly Name: empty
* User Attribute Name: saml_attributes
Now I configured a customer IDP (itâs called JOSSO) and I did the exact same configuration
of the Attribute Importer. However, Keycloak could not import all SAML attributes.
After investigation I could see the structure of the SAML response is different between
both IDPs:
The one that works (ADFS) looks like this:
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd...
<AttributeValue>kevin.kaminski@movingimage.com</AttributeValue<mailto:kevin.kaminski@movingimage.com%3c/AttributeValue>>
The one the importer doesnât work:
<saml:Attribute FriendlyName="MA_EMAIL"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_EMAIL">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Is it possible that âsaml:â is the reason Keycloak canât properly import it?
Note: In general the âAttribute Importerâ works if I configure dedicated mapper for mail,
name, etc. I specify these mappers with a Friendly Name.
But this âgroupedâ import, doesnât work.
I hope I could make clear what my problem is and I hope that someone is able to help.
Many thanks in advance,
Kevin
Kevin Kaminski
IT- Projektmanager
movingimage EVP GmbH
Stralauer Allee 7 | 10245 Berlin â Germany
Tel: +49 (0)30.330 9660.330
Fax: +49 (0)30.330 9660.99
www.movingimage.com<http://www.movingimage.com/>
Berlin | Tokyo | San Francisco | New York
Limited liability company based in Berlin
District court Berlin-Charlottenburg | HRB 94436 B
Managing directors: Dr. Rainer Zugehör, Erdal Ahlatci
Board of directors: Daniel Wild, Felix Artmann, Jörg BinnenbrĂŒcker, Tim Kindt,
Dr. Dirk SchmĂŒcking, Russell Zack
[http://www.movingimage.com/wp-content/uploads/sites/2/2019/06/mi_email-ba...
7:43 a.m.
On 7/17/19 8:00 AM, Kevin Kaminski wrote:
Hello đ
I am writing the first time to this list so I hope I am doing everything correctly.
But hereâs what I need help with:
Fits of all, we are using Keycloak version 5.0.0. in our company.
I am trying a little bit around with the âAttribute Importerâ in Keycloak, because I want
to receive all SAML Attributes that get delivered via the Identity Providers SAML
response, listed in one and the same attribute. And that works actually after I
configured the Mapper Type âAttribute Importerâ. I can see in Keycloak in my user account
> Attributes that all of the Attributes are imported (such as groups, name, first name,
mail address) and the will be listed in one grouped attribute (not sure if there is
another official name for it)
The way I configured the mapper is:
* Name: saml_attributes
* Mapper Typ: Attribute Importer
* Attribute Name: empty
* Friendly Name: empty
* User Attribute Name: saml_attributes
Now I configured a customer IDP (itâs called JOSSO) and I did the exact same
configuration of the Attribute Importer. However, Keycloak could not import all SAML
attributes.
After investigation I could see the structure of the SAML response is different between
both IDPs:
The one that works (ADFS) looks like this:
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd...
<AttributeValue>kevin.kaminski@movingimage.com</AttributeValue<mailto:kevin.kaminski@movingimage.com%3c/AttributeValue>>
The one the importer doesnât work:
<saml:Attribute FriendlyName="MA_EMAIL"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_EMAIL">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Did you forget to paste the entire xml element into the email because
this is a not a complete AttributeValue element?
Is it possible that âsaml:â is the reason Keycloak canât properly
import it?
Only if the "saml" namespace tag was not declared earlier via
xmlns:saml= but then you should have gotten an xml parsing error logged.
My suggestion would be to check the server log for errors and/or paste
more complete xml from the assertion.
Note: In general the âAttribute Importerâ works if I configure dedicated mapper for mail,
name, etc. I specify these mappers with a Friendly Name.
But this âgroupedâ import, doesnât work.
I hope I could make clear what my problem is and I hope that someone is able to help.
--
John Dennis
9:40 a.m.
Hi John,
I didn't paste everything on purpose, just wanted to show the difference in the
namespace. However, as I
Kevin Kaminski
IT- Projektmanager
movingimage EVP GmbH
Stralauer Allee 7 | 10245 Berlin â Germany
Tel: +49 (0)30.330 9660.330
Fax: +49 (0)30.330 9660.99
www.movingimage.com
Berlin | Tokyo | San Francisco | New York
Limited liability company based in Berlin
District court Berlin-Charlottenburg | HRB 94436 B
Managing directors: Dr. Rainer Zugehör, Erdal Ahlatci
Board of directors: Daniel Wild, Felix Artmann, Jörg BinnenbrĂŒcker, Tim Kindt, Dr. Dirk
SchmĂŒcking, Russell Zack
am not able to easily check the logs now, I pasted the complete XML below:
Many thanks in advance,
Kevin
-------
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns4="urn:oasis:names:tc:SAML:2.0:idbus"
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns7="urn:org:atricore:idbus:common:sso:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained"
Destination="https://auth-evp.movingimage.de/auth/realms/master/broker/uit/endpoint"
IssueInstant="2019-07-17T11:42:32.920Z" Version="2.0"
InResponseTo="ID_727b483a-4aef-4292-8cc1-d84ad6e11085"
ID="idE205227EDA4460">
<saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso-abnahme.movingimage.de/IDBUS/SSO-ABN/VP01-IDP-PROXY/SAML2/MD</saml:Issuer>
<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#idE205227EDA4460">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<DigestValue>wlATRJxJb8aDoReCV4/c1qJVKtA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>AWe0qApZ05BFIj4O3QHS8QznNlX34sIUexmJ8x/83ioRFtPEla6wrcEQLLAueED5XOyeSMx9BRzAthFaqFI1YLkrIDkx+sUSIALuUrgMjYHwldkGy4PaTWwmBPCwY2QdM0rKohFPh9G5V3UR+7wZ3TXRtHU6LXiyKLBjU19IhJJ37YDlCHZXLR2tMtcJklw0q/VCOIFGfzViN9cxvdiZOnWxzonN/Nw0FZMgY0nCkQZTb96RikK2ZBr2wNGu4Nw020Slgrfj8IO9gnLW8Yp3bvHQLyWimNfL2eKg9VTj8TBETf5XC99oH+k8ZHK+duFYEhfLL/24Lx8GQpbrQxyRkGUD9zFoRtaJ9EtagTlCQz4uHbTtFynyIDcD2WbNTey3mCePxcTwfluJ+J2k2JL8L89FLdLKTP6m/XZQAUPS4vixVNxM+qjntyXSxT39NV2qEdRJU3oq7ej6tecDXXmp2ETowNwS8+tBGfcwHVkpAwDiIEGWl/QrdihfManvKHNI45Brqyl/0N+HbbiCMuIbuEG+qaOmmZOoKDi/g0wVGqIW7XVUd+EVsFHXbgQXrRt10bt4w4vF6NW+DDL20PU122kwUGKI80Ttms8tlkB/5dJFC2ssKx66BGRHDc13ODWUu0vcJkdj+Z6qGkfJaTuSeqhmFVW4Jf0k7yvIIl+FV4E=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFrTCCA5WgAwIBAgIEUcavTzANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxEDAOBgNVBAgTB1Vua25vd24xEjAQBgNVBAcTCUZyYW5rZnVydDEZMBcGA1UEChMQVW5pb24gSW52ZXN0bWVudDEMMAoGA1UECxMDVUlUMSgwJgYDVQQDEx9zc28tYWJuYWhtZS51bmlvbi1pbnZlc3RtZW50LmRlMB4XDTE5MDUxNTE1MTMyMFoXDTI5MDUyNzE1MTMyMFowgYYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdVbmtub3duMRIwEAYDVQQHEwlGcmFua2Z1cnQxGTAXBgNVBAoTEFVuaW9uIEludmVzdG1lbnQxDDAKBgNVBAsTA1VJVDEoMCYGA1UEAxMfc3NvLWFibmFobWUudW5pb24taW52ZXN0bWVudC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI7DJ7C9LKbKpyV2nmt6oTSvutW6b7i7M5KQK+lIu7tdllMkX/kx7X8CgzK1fqByZvFKnuvwJo+zPyOZBFvrgcBhbZkGbt+o6V0NMhmYveQ2VBu1UEEEBIG+2E0nW1P0TBgucBbvOwtNT1r+180DZ9efXbN0FIywJQzgrrvHAUXVYAO60jcC6WtyiFgyIKDztSawgS4K9tAWNgCJ+wjiGc3tnLsEvnHHDg4fNnFrRf2KGQevWyxJ1NZLnMbe5f0UnBCtv/d1siruje9zsXsBfO9RTdlYPXkrKB6woYSiZelKtHojMdOSv8EVDd+8YmXUulZO/dpfnndZ/gJyhX49TDQl8URVEcuNd8FmGRAL+t+cXx3qWIDz7AnkE+ZR8Ujy/084M23BdTPffb9nsn8FaH14UnHoywshSsg+EUyFfRD+XICQ5eu48WG4YDNpqFtCU60OFDQm5nx6cyxk74bhcYauQIMghBwMH1yiZa2zBEsFVPhY0lU6X/0kCw3aYQ5pSY+tEZE2VLE5+7YLkpgvuVx+wYQemoRPM6xFRPgB95ZdZfLzM76GFf2xtvt9Obc1Cct2/r/xpY01ZcfVC10CNFMlkJgCfhlVzzGpgiQJ7vt6ft6tUBlM54wNAvd640J7NSSowrO5aSKBnTPSFA1YkBAWA0yv1Z3gisb1KIG0zmiNAgMBAAGjITAfMB0GA1UdDgQWBBSgVT75p1EqrRQWA/fabZS0SATz0jANBgkqhkiG9w0BAQsFAAOCAgEAf/McvAhgdgtgPEL//OdB0sGUdXfIaxxjPrU0mGBUomiUib0icXJbwbwUiI5SbYtbwddYGqG5jovmJP49kZ90r334C53EOM74jg3KVKtrzBRe39pPHxMIHyWJfLyZWOO22Q9XLpIBtEb7D7D7s7q0kxaxcgXhBT5K9CEVjML3d0Y34kc910o3/9JHc48qWrMJaLsTWoap42pz67dDjU+9ghAcUMmaPGVIk1VqBxW9H04dLzTuLFtQb8MSv0LDxm23KM+CTGnDzygQ8Y02cl2Up58d6ZomPIbUCtxkz0+1dvANN5iDl2k5fCpsAyrNbdxdRoDL27kyo8iokoMOtymQAm2LQiAw5em9Bu8UfxiZ7JnvZH2QDjsRuMPB8nj1/CZsteGXm41ECFVdfLUDSNNHtosoFLVkII7MAvTebbFOUIBv16Rw06KxsrBGnLSH/2rKJx/AK/00aD/BOjt0o0SbrlugykmHXJvKDLt+Ywa18Ea3ixP8A8uM5LDCC0plkd659Nvv/eEhr3KbZUjZ5xIKbIhXiiUEHr6s+TSKSSmmnUp24eoltawmyebUMSasCDsBER/VArIFfnhC2ulUXqrtFmi4qw1qQTSLnyd7UkWNgFPUd4lW/ZI3v2sUQ68AgBjKObtdSX3I4HegHznbEkZk4htq/HIVPNjeIgY9+jfS3Do=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlp:Status>
<saml:Assertion IssueInstant="2019-07-17T11:42:32.398Z"
ID="id0585E4B155E46D" Version="2.0">
<saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso-abnahme.movingimage.de/IDBUS/SSO-ABN/VP01-IDP-PROXY/SAML2/MD</saml:Issuer>
<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#id0585E4B155E46D">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ZTBe1/VGMBBtRFNnbzKoihwsiPo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>f/fkkv1I/244MV/FUDyajpn4u+GNztlACS6pM1uYvtfRDNTGRYf2VOzQOQ5T7Dso1LlX91iwGzZHxow1RsEj5dxVCJc2g9So16kguJD4VcjtNpZQzE2axdUe7THMPYsrPEfh50xCBccRsGmK6ymVUh14TgKL7+0wcIsd4TqO3BP0REhZuhW0ylTM9/Olj8Si2l2hiyIBcdsqVIaUu3cVhqIVCiVehYfeFJltG+rZ+ZawL7Z+CK9ei6QYyy76UTEoOGTnpaIivQulDtRHV9XeeccKpBW+CSjWLeC9m7k9UTNggpBbN1EE3eaRk0iUqUbDZG03gxl2JrRjKwIkf1piOtD0vzLRirjXEEVR/N69NoJbMrdFkcV5HIbuiPURpZFRZaaa3nmy1uxd9v965/afE4uy/L+sPguIVIa15O/R8H2z74jnPGgIcuxedbSx7G+Q5263UL4lzqzVaSz471Gg3dtdgKOQRktevACelJDqkPT/QCBOmVAnAn98zHX+CklATrI6BDOhL75hSi2DMuaSLUN4q4ejUM595n8oOt2/rPrNvIi5CJjrTnGpjDQN8x51eYBe2hRUR5h6nt5i/iu3aLTuUUhfh1K+gxlVg8ZFJCbOmlbidBip2IremAioOiwiXsO/C5jqEsguUS8BecqGmHZFIgjkblyiRbnvRjYXIBQ=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFrTCCA5WgAwIBAgIEUcavTzANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxEDAOBgNVBAgTB1Vua25vd24xEjAQBgNVBAcTCUZyYW5rZnVydDEZMBcGA1UEChMQVW5pb24gSW52ZXN0bWVudDEMMAoGA1UECxMDVUlUMSgwJgYDVQQDEx9zc28tYWJuYWhtZS51bmlvbi1pbnZlc3RtZW50LmRlMB4XDTE5MDUxNTE1MTMyMFoXDTI5MDUyNzE1MTMyMFowgYYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdVbmtub3duMRIwEAYDVQQHEwlGcmFua2Z1cnQxGTAXBgNVBAoTEFVuaW9uIEludmVzdG1lbnQxDDAKBgNVBAsTA1VJVDEoMCYGA1UEAxMfc3NvLWFibmFobWUudW5pb24taW52ZXN0bWVudC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI7DJ7C9LKbKpyV2nmt6oTSvutW6b7i7M5KQK+lIu7tdllMkX/kx7X8CgzK1fqByZvFKnuvwJo+zPyOZBFvrgcBhbZkGbt+o6V0NMhmYveQ2VBu1UEEEBIG+2E0nW1P0TBgucBbvOwtNT1r+180DZ9efXbN0FIywJQzgrrvHAUXVYAO60jcC6WtyiFgyIKDztSawgS4K9tAWNgCJ+wjiGc3tnLsEvnHHDg4fNnFrRf2KGQevWyxJ1NZLnMbe5f0UnBCtv/d1siruje9zsXsBfO9RTdlYPXkrKB6woYSiZelKtHojMdOSv8EVDd+8YmXUulZO/dpfnndZ/gJyhX49TDQl8URVEcuNd8FmGRAL+t+cXx3qWIDz7AnkE+ZR8Ujy/084M23BdTPffb9nsn8FaH14UnHoywshSsg+EUyFfRD+XICQ5eu48WG4YDNpqFtCU60OFDQm5nx6cyxk74bhcYauQIMghBwMH1yiZa2zBEsFVPhY0lU6X/0kCw3aYQ5pSY+tEZE2VLE5+7YLkpgvuVx+wYQemoRPM6xFRPgB95ZdZfLzM76GFf2xtvt9Obc1Cct2/r/xpY01ZcfVC10CNFMlkJgCfhlVzzGpgiQJ7vt6ft6tUBlM54wNAvd640J7NSSowrO5aSKBnTPSFA1YkBAWA0yv1Z3gisb1KIG0zmiNAgMBAAGjITAfMB0GA1UdDgQWBBSgVT75p1EqrRQWA/fabZS0SATz0jANBgkqhkiG9w0BAQsFAAOCAgEAf/McvAhgdgtgPEL//OdB0sGUdXfIaxxjPrU0mGBUomiUib0icXJbwbwUiI5SbYtbwddYGqG5jovmJP49kZ90r334C53EOM74jg3KVKtrzBRe39pPHxMIHyWJfLyZWOO22Q9XLpIBtEb7D7D7s7q0kxaxcgXhBT5K9CEVjML3d0Y34kc910o3/9JHc48qWrMJaLsTWoap42pz67dDjU+9ghAcUMmaPGVIk1VqBxW9H04dLzTuLFtQb8MSv0LDxm23KM+CTGnDzygQ8Y02cl2Up58d6ZomPIbUCtxkz0+1dvANN5iDl2k5fCpsAyrNbdxdRoDL27kyo8iokoMOtymQAm2LQiAw5em9Bu8UfxiZ7JnvZH2QDjsRuMPB8nj1/CZsteGXm41ECFVdfLUDSNNHtosoFLVkII7MAvTebbFOUIBv16Rw06KxsrBGnLSH/2rKJx/AK/00aD/BOjt0o0SbrlugykmHXJvKDLt+Ywa18Ea3ixP8A8uM5LDCC0plkd659Nvv/eEhr3KbZUjZ5xIKbIhXiiUEHr6s+TSKSSmmnUp24eoltawmyebUMSasCDsBER/VArIFfnhC2ulUXqrtFmi4qw1qQTSLnyd7UkWNgFPUd4lW/ZI3v2sUQ68AgBjKObtdSX3I4HegHznbEkZk4htq/HIVPNjeIgY9+jfS3Do=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">44444-kki</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="ID_727b483a-4aef-4292-8cc1-d84ad6e11085"
Recipient="https://auth-evp.movingimage.de/auth/realms/master/broker/uit/endpoint"
NotOnOrAfter="2019-07-17T11:47:32.398Z" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2019-07-17T11:47:32.398Z"
NotBefore="2019-07-17T11:37:32.398Z">
<saml:AudienceRestriction>
<saml:Audience>https://auth-evp.movingimage.de/auth/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionNotOnOrAfter="2019-07-17T17:42:32.398Z"
SessionIndex="id-253c748e-f363-43ae-84c8-e68a3aef9436"
AuthnInstant="2019-07-17T11:42:32.398Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="OI_LOGIN_FAILED"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="OI_LOGIN_FAILED">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">0</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_UUKEY"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_UUKEY">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">7F7C1A25638B519AE05402082055A8B5</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="OI_PASSWORT_STATUS"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="OI_PASSWORT_STATUS">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/>
</saml:Attribute>
<saml:Attribute FriendlyName="BA_BLZ"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="BA_BLZ">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">22222222</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="org:atricore:idbus:sso:sp:idpName_proxied"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="org:atricore:idbus:sso:sp:idpName_proxied">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">uitidp01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="groups">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Mitarbeiter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="org:atricore:idbus:sso:sp:authnCtxClass_proxied"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="org:atricore:idbus:sso:sp:authnCtxClass_proxied">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="org:atricore:idbus:sso:sp:idpAlias_proxied"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="org:atricore:idbus:sso:sp:idpAlias_proxied">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">https://sso-abnahme.movingimage.com.de/IDBUS/SSO-ABN/UITIDP01/SAML2/MD</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_EMAIL"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_EMAIL">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">kevin.kaminski@movingimage.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="OI_ONLINEMITARBEITERID"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="OI_ONLINEMITARBEITERID">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">44444-kki</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="groups">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">iwpilot</saml:AttributeValue>
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Basiszugriff UnionOnline</saml:AttributeValue>
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Mitarbeiter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_GENOUSERID"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_GENOUSERID">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_NAME"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_NAME">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Kaminski</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_VORNAME"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_VORNAME">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Kevin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
ï»żAm 17.07.19, 14:44 schrieb "John Dennis" <jdennis(a)redhat.com>:
On 7/17/19 8:00 AM, Kevin Kaminski wrote:
Hello đ
I am writing the first time to this list so I hope I am doing everything correctly.
But hereâs what I need help with:
Fits of all, we are using Keycloak version 5.0.0. in our company.
I am trying a little bit around with the âAttribute Importerâ in Keycloak, because I want
to receive all SAML Attributes that get delivered via the Identity Providers SAML
response, listed in one and the same attribute. And that works actually after I
configured the Mapper Type âAttribute Importerâ. I can see in Keycloak in my user account
> Attributes that all of the Attributes are imported (such as groups, name, first name,
mail address) and the will be listed in one grouped attribute (not sure if there is
another official name for it)
The way I configured the mapper is:
* Name: saml_attributes
* Mapper Typ: Attribute Importer
* Attribute Name: empty
* Friendly Name: empty
* User Attribute Name: saml_attributes
Now I configured a customer IDP (itâs called JOSSO) and I did the exact same
configuration of the Attribute Importer. However, Keycloak could not import all SAML
attributes.
After investigation I could see the structure of the SAML response is different between
both IDPs:
The one that works (ADFS) looks like this:
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd...
<AttributeValue>kevin.kaminski@movingimage.com</AttributeValue<mailto:kevin.kaminski@movingimage.com%3c/AttributeValue>>
The one the importer doesnât work:
<saml:Attribute FriendlyName="MA_EMAIL"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_EMAIL">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Did you forget to paste the entire xml element into the email because
this is a not a complete AttributeValue element?
Is it possible that âsaml:â is the reason Keycloak canât properly
import it?
Only if the "saml" namespace tag was not declared earlier via
xmlns:saml= but then you should have gotten an xml parsing error logged.
My suggestion would be to check the server log for errors and/or paste
more complete xml from the assertion.
Note: In general the âAttribute Importerâ works if I configure dedicated mapper for mail,
name, etc. I specify these mappers with a Friendly Name.
But this âgroupedâ import, doesnât work.
I hope I could make clear what my problem is and I hope that someone is able to help.
--
John Dennis
10 a.m.
On 7/17/19 10:40 AM, Kevin Kaminski wrote:
Hi John,
I didn't paste everything on purpose, just wanted to show the difference in the
namespace. However, as I
I don't see any problems with the XML. The difference in namespace name
between any two XML documents is irrelevant as long as namespace is
properly defined in the XML document, in this case you can see the
"saml" namespace is defined in the top Response element:
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
The only difference I see between the two examples you cited is in the
failing case the <Attribute> element includes a NameFormat attribute and
the <AttributeValue> elment contains a type attribute. Both are legal.
Perhaps keycloak doesn't know to deal with these attributes, but if so I
would expect an error to be logged in the server log. Did you check the
log? That's as much help as I can offer, perhaps someone with a better
knowledge of how the Assertion is parsed internally by Keycloak can shed
more light.
--
John Dennis
2017
days inactive
2017
days old
3 comments
2 participants
participants (2)
-
John Dennis -
Kevin Kaminski