[keycloak-user] Problem using SAML IdP

Bill Burke bburke at redhat.com
Tue Jan 5 10:13:56 EST 2016 

We won't be able to support temporary ids (transient) for awhile as it 
requires temporary user creation which requires some rearchitecting.

As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a 
JIRA and it is simple enough to implement support for, we may be able to 
get it in.

On 1/5/2016 8:18 AM, Jérôme Blanchard wrote:
> Hi Bill,
>
> Thanks for your answer regarding transient and temporary ids. I
> understand the problem due to keycloak account creation and binding to
> the IdP.
> Renarter is using Shibboleth ; Is there is any work on shibboleth
> integration for keycloak ?
> If I look into the idps entities descriptors of renater, I found that it
> uses also another nameid format based on shibboleth namesapce :
> <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
>
> Do you think it is possible to patch the saml idp provider (or to create
> another one dedicated to shibboleth) in order to integrate keycloak to
> our identity federation (renater) ?
>
> Best whiches for this upcoming year and thanks for your great work
> around keycloak.
>
> Jérôme.
>
>
> Le mar. 22 déc. 2015 à 21:10, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> a écrit :
>
>     Our brokering doesn't support temporary user ids from the "parent" IDP.
>        Transient Ids in SAML or temporary ids.
>
>     On 12/22/2015 11:46 AM, Jérôme Blanchard wrote:
>      > Hi,
>      >
>      > I'm trying to integrate keycloak into a the french research
>     federation
>      > of identity (renater) and I'm facing some problems.
>      > Actually, when IdP respond to keycloak i'm getting the following
>     error :
>      > PL00084: Writer: Unsupported Attribute
>      > Value:org.keycloak.dom.saml.v2.assertion.NameIDType
>      >
>      > It seems that this IdP is using transient NameID policy only and
>     using
>      > the unspecified field in the idp config in keycloak generate this
>      > exception as a return.
>      >
>      > Log of the keycloak server is joined.
>      >
>      > I have no idea of what happening because when I was using the test
>      > federation, everything was working but no I'm in the production
>      > federation, login fails.
>      >
>      > The renater federation is using Shibolleth and keycloak is not
>     supported
>      > by federation moderators so I'm alone in the dark now...
>      >
>      > Renater provides an IdP list that I have to parse and
>     synchronized with
>      > IdP in keycloak. As a return I provide a list of all endpoints
>     for each
>      > keycloak registered IdP to allow federation IdP to answear
>     correctly to
>      > the right endpoint. All of this is done by a small web app deployed
>      > aside keycloak and using REST API to synchronize all the IdP.
>      >
>      > One of the IdP entity descriptor is joined. As you can see, only
>      > transient nameid policy is supported and if I configure keycloak
>     to use
>      > email or persistent, I received a response saying that the nameid
>     is not
>      > supported :
>      >
>      > <samlp:AuthnRequest
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>      > xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>      >
>     AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
>      > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
>      > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
>      > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
>      > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>      > Version="2.0"><saml:Issuer
>      >
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
>      > AllowCreate="true"
>      >
>     Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
>      >
>      >
>      > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>      >
>     Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
>      > ID="_9d03761957aade819b6823c35bbab278"
>      > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
>      > IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
>      > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>      >
>     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
>      >
>     Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
>      >
>     Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
>      > NameID format not
>      > supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
>      >
>      >
>      > Any help would be gracefully appreciated.
>      >
>      > Thanks a lot, Jérôme.
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list