[keycloak-user] Meraki SP

Aaron Echols aechols at bfcsaz.com
Sun Apr 21 23:26:26 EDT 2019 

Hello All,

I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
Keycloak be setup for idP initiated SSO, which I've configured. I have
everything working great, but I'm running into an issue where Keycloak will
not passthrough a SAML attribute using mappers.

Per the docs here:
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard

I need to pass a role attribute through that matches what I've setup as the
SAML Administrator Roles in Meraki. I've done that and have a role setup as
IT, Management, etc.

In Active Directory the 'department' attribute is set to the role that is
needed. I've created the federated mapper 'dept' that is mapped to
'department' in AD. Users in Keycloak have that attribute populated
successfully with the correct data.

In the client for Meraki, I've created a mapper name '
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
'user property' with a property of 'dept' and a general friendly name and
then set the 'SAML Attribute Name' to role.

Looking at the SAML login, this never is passed through at all. The only
way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
https://dashboard.meraki.com/saml/attributes/role', it will then login
successfully to Meraki. There are other groups that will be logging into
Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
transaction when hardcoding the attribute:

<saml:Attribute
                FriendlyName="Department"
                Name="role"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:type="xs:string">IT
</saml:AttributeValue>

I've never had this issue of passing other attributes through before, can
anyone let me know if I'm going about this wrong and if so, what am I
missing? Thanks :)
--
Aaron Echols

More information about the keycloak-user mailing list