[keycloak-user] Meraki SP

Aaron Echols aechols at bfcsaz.com
Thu Apr 25 20:45:12 EDT 2019 

Hi,

I just wanted to see if anyone had any other ideas about this. Thanks! :)
--
Aaron Echols

On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
> Keycloak be setup for idP initiated SSO, which I've configured. I have
> everything working great, but I'm running into an issue where Keycloak will
> not passthrough a SAML attribute using mappers.
>
> Per the docs here:
> https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard
>
> I need to pass a role attribute through that matches what I've setup as
> the SAML Administrator Roles in Meraki. I've done that and have a role
> setup as IT, Management, etc.
>
> In Active Directory the 'department' attribute is set to the role that is
> needed. I've created the federated mapper 'dept' that is mapped to
> 'department' in AD. Users in Keycloak have that attribute populated
> successfully with the correct data.
>
> In the client for Meraki, I've created a mapper name '
> https://dashboard.meraki.com/saml/attributes/role' and set the it as a
> 'user property' with a property of 'dept' and a general friendly name and
> then set the 'SAML Attribute Name' to role.
>
> Looking at the SAML login, this never is passed through at all. The only
> way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
> Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
> https://dashboard.meraki.com/saml/attributes/role', it will then login
> successfully to Meraki. There are other groups that will be logging into
> Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
> transaction when hardcoding the attribute:
>
> <saml:Attribute
>                 FriendlyName="Department"
>                 Name="role"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue
>                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                     xsi:type="xs:string">IT
> </saml:AttributeValue>
>
> I've never had this issue of passing other attributes through before, can
> anyone let me know if I'm going about this wrong and if so, what am I
> missing? Thanks :)
> --
> Aaron Echols
>

More information about the keycloak-user mailing list