[keycloak-user] Role to claim mapping

Gonzalo López lopez.m.gonzalo at gmail.com
Wed Sep 30 11:33:45 EDT 2015


Keycloak A is the idp using oidc
"testuser" and "testrole" are defined in Keycloak A.


Keycloak B is the broker, it has Keycloak A as identity provider
App B authenticates using the broker, choosing Keycloak A as the provider

I want Keycloak B to receive (from Keycloak A) a calaim saying something
like "roles": "testuser"







2015-09-30 11:26 GMT-03:00 Bill Burke <bburke at redhat.com>:

> I am confused on what you want to do.  Please talk in terms of Keycloak
> A, Keycloak B, App C, App D.
>
> On 9/30/2015 9:23 AM, Gonzalo López wrote:
> > testuser has some roles in host B (testrole in this example), I want to
> > put the roles as a claim in the token so when host A receives the token
> > it maps the claim to roles in host A
> >
> > I already did the second part (mapping in host A), but I still can't
> > find out how to put the roles in a claim.
> >
> >
> >
> >
> >
> >
> >     On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> >      > I'm trying to test the Identity broker to achieve cross domain
> >     sso, this
> >      > is what I have done:
> >      >
> >      > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in
> >     host A
> >      > 2 - Installed jboss 6.4 eap + keycloak in host B
> >      > 3 - In host A, I added an oidc Identity Provider (importing host B
> >      > openid connect configuration).
> >      > 4 - In host A, I created an application (appa.war) that will try
> >     to use
> >      > the broker to authenticate. I added security to the app (only
> >     user with
> >      > role "user" will be able to access some parts)
> >      > 5 - In host B, I added 2 oidc clients (the broker from host A and
> >     appb,
> >      > appb (appb.war) is a simple application developed to log in using
> >     oidc)
> >      > 6 - In host B, I created a role "testrole" inside appb and a user
> >      > "testuser", then I added that role to the user.
> >      >
> >      > I couldn't find out how to map the role "testrole" to a claim
> >     that will
> >      > be sent to the broker once the user has authenticated. Is there a
> >     way to
> >      > do that?
> >      >
> >      > After I accomplish that I plan to map that claim to the role
> >     appa.user.
> >      >
> >
> >     OIDC and SAML Identity Providers have mappers.  Host A broker will
> >     receive the token from Host B.  You can map the testrole to whatever
> >     claim you want.
> >
> >
> >     --
> >     Bill Burke
> >     JBoss, a division of Red Hat
> >     http://bill.burkecentral.com
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/06fb89cf/attachment.html 


More information about the keycloak-user mailing list