[keycloak-user] Keycloak saml authentication and authorization
Jukka Sirviö
Jukka.Sirvio at mipro.fi
Mon Nov 16 13:26:47 EST 2015
thank you Bill for a quick response,
I will continue using our current SP level authorization functionality, it is easily integrated with Keycloak SAML with the help of additional attributes, as you pointed (please see screenshot). EE roles and constraints will be used where appropriate.
Those mentioned examples I'm quite familiar with, and also the client adapter documentation is reasonably well studied.
thanks,
Yours:
Jukka
-----Alkuperäinen viesti-----
Lähettäjä: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Puolesta Bill Burke
Lähetetty: 16. marraskuuta 2015 16:15
Vastaanottaja: keycloak-user at lists.jboss.org
Aihe: Re: [keycloak-user] Keycloak saml authentication and authorization
The only authorization that we can do right now is at the application through servlet security contraints and Java EE roles. Keycloak now has a SAML client adapter derived from PL SAML SP. There are ways to obtain the attributes propagated with the SAML assertion if you need something
more:
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
Here are the examples that come with the distro:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Ping the list if you need further assistance.
On 11/16/2015 6:49 AM, Jukka Sirviö wrote:
> Hello all,
>
> Is there any examples on how to get Keycloak SAML authorization up and
> running?
>
> Keycloak SAML authentication is already up and running across two
> distinct web applications. My SAML authentication already includes a
> couple of user properties and attributes, but I'm not able to find any
> info about what is the right and correct way to establish
> authorization with keycloak saml, saml metadata perhaps?
>
> Could you please point me to right direction? SAML authorization
> examples would be great, or is "picketlink-federation
> -saml-sp-with-metadata" example all that I need to know?
>
> Reason for above question is that I want to get rid of our own
> web-application specific authorization mechanism!
>
> Yes, and the answer to your follow-up question is, that our
> environment is wf 9.0.1 Jèwf saml adapter is in use..
>
> Yours:
> Jukka
>
>
> ----------------------------------------------------------------------
> --
>
> Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
> tietoa, joka on tarkoitettu vain vastaanottajalleen. Jos et ole oikea
> vastaanottaja, ilmoita viestin lähettäjälle tapahtuneesta virheestä ja
> tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen,
> jakelu tai muu käyttö tai toimenpiteisiin ryhtyminen sen perusteella
> on ehdottomasti kielletty.
>
> This message (including any attachments) may contain confidential
> information intended for the person or entity to which it is
> addressed. If you are not the intended recipient, notify the sender
> and delete this message immediately. Notice that disclosing, copying,
> distributing or any other use of the message and its information, or
> taking any action based on it, is strictly prohibited.
>
> ----------------------------------------------------------------------
> --
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2015-11-16 20_12_25-Keycloak Admin Console.png
Type: image/png
Size: 54955 bytes
Desc: 2015-11-16 20_12_25-Keycloak Admin Console.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/e9691c74/attachment-0001.png
More information about the keycloak-user
mailing list