[keycloak-user] SAML Attributes using a general Attribute Importer doesn't work with specific IDP

Kevin Kaminski kevin.kaminski at movingimage.com
Wed Jul 17 08:00:29 EDT 2019 

Hello 😊

I am writing the first time to this list so I hope I am doing everything correctly.

But here’s what I need help with:

Fits of all, we are using Keycloak version 5.0.0. in our company.
I am trying a little bit around with the “Attribute Importer” in Keycloak, because I want to receive all SAML Attributes that get delivered via the Identity Providers SAML response,  listed in one and the same attribute. And that works actually after I configured the Mapper Type “Attribute Importer”. I can see in Keycloak in my user account  > Attributes that all of the Attributes are imported (such as groups, name, first name, mail address) and the will be listed in one grouped attribute (not sure if there is another official name for it)

The way I configured the mapper is:

  *   Name: saml_attributes
  *   Mapper Typ: Attribute Importer
  *   Attribute Name: empty
  *   Friendly Name: empty
  *   User Attribute Name: saml_attributes


Now I configured a customer IDP (it’s called JOSSO) and I did the exact same configuration of the Attribute Importer. However, Keycloak could not import all SAML attributes.
After investigation I could see the structure of the SAML response is different between both IDPs:

The one that works (ADFS) looks like this:

<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>kevin.kaminski at movingimage.com</AttributeValue<mailto:kevin.kaminski at movingimage.com%3c/AttributeValue>>



The one the importer doesn’t work:

<saml:Attribute FriendlyName="MA_EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_EMAIL">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"


Is it possible that “saml:” is the reason Keycloak can’t properly import it?

Note: In general the “Attribute Importer” works if I configure dedicated mapper for mail, name, etc. I specify these mappers with a Friendly Name.
But this “grouped” import, doesn’t work.

I hope I could make clear what my problem is and I hope that someone is able to help.


Many thanks in advance,
Kevin

Kevin Kaminski
IT- Projektmanager

movingimage EVP GmbH
Stralauer Allee 7 | 10245 Berlin – Germany
Tel: +49 (0)30.330 9660.330
Fax: +49 (0)30.330 9660.99
www.movingimage.com<http://www.movingimage.com/>
Berlin | Tokyo | San Francisco | New York

Limited liability company based in Berlin
District court Berlin-Charlottenburg | HRB 94436 B
Managing directors: Dr. Rainer Zugehör, Erdal Ahlatci
Board of directors: Daniel Wild, Felix Artmann, Jörg Binnenbrücker, Tim Kindt,
Dr. Dirk Schmücking, Russell Zack

[http://www.movingimage.com/wp-content/uploads/sites/2/2019/06/mi_email-banner2019-06_watch-webinar.png]<https://www.movingimage.com/lp/advancedsubtitles/>

More information about the keycloak-user mailing list