[keycloak-user] IDP Broker (SAML) - add LDAP attributes from ReadOnly LDAP.
Marek Posolda
mposolda at redhat.com
Wed Jun 21 04:04:35 EDT 2017
We don't have OOTB support for this usecase. AFAIK JIRAs still exists to
improve this.
You may need to create new Authenticator implementation and add it to
first broker login flow, which will automatically ends with "success" in
case that existing user is a user from your LDAP.
Marek
On 20/06/17 14:13, Marc Jadoul wrote:
> Hello,
>
> I am trying to configure RH SSO 7.0 (available as container in Openshift
> V3.2), to obtain attributes and roles from a read-only LDAP.
> User are authenticated using SAML, but applications do need additional
> attributes.
> The LDAP server has those attributes but do not provide user
> authentication, which is provided by Kerberos or SAML.
>
> Kerberos + LDAP is not really an option as it authenticate only a part of
> the users of the organization while SAML + LDAP could works for all.
>
> I found a couple of related issues:
> https://issues.jboss.org/browse/KEYCLOAK-4171
>
> But solutions proposed does not work for me.... May be because my LDAP does
> not allows authentication?
>
> I get this error:
> 09:13:07,510 WARN [org.keycloak.events] (default task-320)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
> http://testapp.example.corp/mellon/metadata, userId=null,
> ipAddress=10.0.0.20, error=invalid_user_credentials,
> identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
> http://testapp.example.corp/mellon/postResponse,
> identity_provider_identity=testuser,
> code_id=...
>
> Or this one (if in first login I allows user re-authentication) but then I
> am prompted for a password which fail authenticating as the LDAP does not
> know my password.
> 09:13:07,510 WARN [org.keycloak.events] (default task-320)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
> http://testapp.example.corp/mellon/metadata,
> userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2,
> ipAddress=10.0.0.20, error=invalid_user_credentials,
> identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
> http://testapp.example.corp/mellon/postResponse,
> identity_provider_identity=testuser,
> code_id=...
>
> Is there a solution out of the box for my use case? Adding additional
> information about users from an ldap connection, read-only and without
> re-authentication?
>
>
> Regards,
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list