12:04 p.m.
I'm trying to use ADFS as a SAML identity provider, then use OIDC to
authenticate an application on JBoss EAP.
The IDP redirects to AD and back to Keycloak seem to work fine, and a list
of groups is provided as an assertion. When I debug within the protected
application, however, the groups from the SAML assertion are not passed
through. If I make a role in Keycloak and manually assign it to a user, it
does get passed through.
Is this something that should be supported and I'm just not configuring
something right?
Environment: Keycloak 1.9.2.Final running on OpenShift Enterprise 3.1.
----
Jason Hobbs
Lead Engineer Shop Floor Systems
Email: Jason.Hobbs(a)shawinc.com | Office: (706) 532-3858 | Calendar
<https://www.google.com/calendar/embed?src=jason.hobbs@shawinc.com&ctz...
Shaw Industries Group Inc. | 201 S. Hamilton St., Dalton, GA 30720 | MD
0IS-01 | shawfloors.com
--
**********************************************************
Privileged and/or confidential information may be contained in this
message. If you are not the addressee indicated in this message (or are not
responsible for delivery of this message to that person) , you may not copy
or deliver this message to anyone. In such case, you should destroy this
message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of
this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or
other information in this message that do not relate to the official
business of the company or its subsidiaries.
**********************************************************
2:37 p.m.
You need to define a mapper in our SAML identity provider config to
import the things you want.
On 4/18/2016 1:04 PM, Jason Hobbs wrote:
I'm trying to use ADFS as a SAML identity provider, then use OIDC
to
authenticate an application on JBoss EAP.
The IDP redirects to AD and back to Keycloak seem to work fine, and a
list of groups is provided as an assertion. When I debug within the
protected application, however, the groups from the SAML assertion are
not passed through. If I make a role in Keycloak and manually assign
it to a user, it does get passed through.
Is this something that should be supported and I'm just not
configuring something right?
Environment: Keycloak 1.9.2.Final running on OpenShift Enterprise 3.1.
----
Jason Hobbs
Lead Engineer Shop Floor Systems
Email: Jason.Hobbs(a)shawinc.com <mailto:Jason.Hobbs@shawinc.com> |
Office: (706) 532-3858 | Calendar
<https://www.google.com/calendar/embed?src=jason.hobbs@shawinc.com&ctz...
Shaw Industries Group Inc. | 201 S. Hamilton St., Dalton, GA 30720 |
MD 0IS-01 | shawfloors.com <http://shawfloors.com/>
**********************************************************
Privileged and/or confidential information may be contained in this
message. If you are not the addressee indicated in this message (or
are not responsible for delivery of this message to that person) , you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages
of this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions
or other information in this message that do not relate to the
official business of the company or its subsidiaries.
**********************************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:18 a.m.
Thanks, Bill.
I was hoping for something similar to the Role Mappings used with User
Federation via LDAP. We have that working well with AD, but wanted to try
the SAML route to evaluate it. I don't see a mapper like that wherein we
can create a single mapping in the IDP configuration and have it propagate
the groups in the SAML assertion to Realm Roles. I did find a way to
create a mapping per Role, but we have too many roles for that to scale
well.
If we're better off just sticking with LDAP integration, and perhaps adding
Kerberos to that, then I'm fine with that. Would that be your
recommendation?
--
**********************************************************
Privileged and/or confidential information may be contained in this
message. If you are not the addressee indicated in this message (or are not
responsible for delivery of this message to that person) , you may not copy
or deliver this message to anyone. In such case, you should destroy this
message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of
this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or
other information in this message that do not relate to the official
business of the company or its subsidiaries.
**********************************************************
3168
days inactive
3169
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Jason Hobbs