[keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
Dmitry Telegin
dt at acutus.pro
Wed Aug 8 09:35:31 EDT 2018
Hello Linda,
Seems like you need to configure SAML Attribute to Role mapper for your IdP.
Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper.
You will need to know how exactly your IdP supplies role information.
Normally, there should be an attribute inside SAML assertion that comes
with SAML response; the fastest way is to inspect SAML payload via F12
-> Network in your browser. Use https://www.samltool.com to decode and pretty-print it.
Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote:
> Hello.
>
> I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly.
>
> My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed.
>
> In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this:
>
> <?xml version="1.0" encoding="UTF-8"?>
> > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
> <display-name>Application Container</display-name>
>
> <welcome-file-list>
> <welcome-file>ApplicationContainer.html</welcome-file>
> </welcome-file-list>
>
> <login-config>
> <auth-method>KEYCLOAK-SAML</auth-method>
> <realm-name>keycloak</realm-name>
> </login-config>
>
> <security-constraint>
> <display-name>Application Container Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>All Resources</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>hallo</role-name>
> </auth-constraint>
> </security-constraint>
>
> </web-app>
>
> My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP.
>
> Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml.
>
> How am I going to achieve to be able to locally handle the role mapping?
>
> Thanks in advance.
> --
> Linda
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list