[keycloak-dev] Dynamic SAML roles to user mapper

Heger Oliver (INST-IOT/ESB) Oliver.Heger at bosch-si.com
Fri Jun 21 08:42:42 EDT 2019 

Hi all,

In the mean time we made some progress by creating an initial implementation of a custom mapper for SAML roles that supports our use case.

The mapper extracts a list of role names from a configurable attribute of the SAML response from the IDP. Roles that do not exist in the current realm are created automatically. Then the current user is assigned exactly this list of roles.

There are some further configuration options to support a transformation of role names to a certain degree. So it is possible for instance to specify a regular expression to select only a subset of the roles from the SAML response, and a template can be provided for generating role names dynamically.

Is there some interest in this mapper implementation? Do you think it could be useful in general?

Kind regards
Oliver

-----Ursprüngliche Nachricht-----
Von: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> Im Auftrag von Heger Oliver (INST-IOT/ESB)
Gesendet: Freitag, 7. Juni 2019 13:35
An: keycloak-dev at lists.jboss.org
Betreff: [keycloak-dev] Dynamic SAML roles to user mapper

Hi all,

For an external customer we need to bring together the SAML IDP of the customer as leading system for user data with our services that are only supporting OIDC.
We think Keycloak could fit very well as some kind of mediator between the customer's IDP and our OIDC-based services.

The services expect JWTs containing basic user data and also a list with all the roles the user has. With the mappers available in Keycloak a JWT can be constructed that contains the desired information. But now it can happen that the roles model is extended in agreement between the IDP and the client services. As we understand it, in order to support the newly added roles, they would have to be added manually into Keycloak before they can be referenced by the existing SAML Attribute to Role mapper.

This manual step we would like to avoid. In our ideal scenario, Keycloak would just be an infrastructure component handling the SAML to OIDC conversion. With respect to the roles assigned to users, it should be agnostic and simply copy the information it receives from the SAML IDP verbatim.

To achieve this we think about implementing a custom mapper that allows dealing with roles in this way. It would read the roles from a configurable attribute of the SAML response and assign them to the user affected in the Keycloak data model. If a role was encountered that did not exist yet, it would be newly created. That way the roles model used by Keycloak would adapt itself dynamically to the model used by the parties involved, and no manual updates would be required.

Do you think there is an easier solution for this problem than writing a custom mapper?

If the answer is no, would you be interested in such a mapper implementation?
We would be happy to contribute it. In our opinion this feature would strengthen the brokering facilities of Keycloak.

Thank you and kind regards

Oliver Heger

(INST-IOT/ESB)
Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 711 811-58473 | Fax +49 711 811-58200 | oliver.heger at bosch-si.com<mailto:oliver.heger at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic



_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list