[keycloak-user] SAML Attributes using a general Attribute Importer doesn't work with specific IDP

John Dennis jdennis at redhat.com
Wed Jul 17 08:43:54 EDT 2019 

On 7/17/19 8:00 AM, Kevin Kaminski wrote:
> Hello 😊
> 
> I am writing the first time to this list so I hope I am doing everything correctly.
> 
> But here’s what I need help with:
> 
> Fits of all, we are using Keycloak version 5.0.0. in our company.
> I am trying a little bit around with the “Attribute Importer” in Keycloak, because I want to receive all SAML Attributes that get delivered via the Identity Providers SAML response,  listed in one and the same attribute. And that works actually after I configured the Mapper Type “Attribute Importer”. I can see in Keycloak in my user account  > Attributes that all of the Attributes are imported (such as groups, name, first name, mail address) and the will be listed in one grouped attribute (not sure if there is another official name for it)
> 
> The way I configured the mapper is:
> 
>    *   Name: saml_attributes
>    *   Mapper Typ: Attribute Importer
>    *   Attribute Name: empty
>    *   Friendly Name: empty
>    *   User Attribute Name: saml_attributes
> 
> 
> Now I configured a customer IDP (it’s called JOSSO) and I did the exact same configuration of the Attribute Importer. However, Keycloak could not import all SAML attributes.
> After investigation I could see the structure of the SAML response is different between both IDPs:
> 
> The one that works (ADFS) looks like this:
> 
> <AttributeStatement>
> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
> <AttributeValue>kevin.kaminski at movingimage.com</AttributeValue<mailto:kevin.kaminski at movingimage.com%3c/AttributeValue>>
> 
> 
> 
> The one the importer doesn’t work:
> 
> <saml:Attribute FriendlyName="MA_EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_EMAIL">
> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

Did you forget to paste the entire xml element into the email because 
this is a not a complete AttributeValue element?

> Is it possible that “saml:” is the reason Keycloak can’t properly import it?

Only if the "saml" namespace tag was not declared earlier via 
xmlns:saml= but then you should have gotten an xml parsing error logged.

My suggestion would be to check the server log for errors and/or paste 
more complete xml from the assertion.

> 
> Note: In general the “Attribute Importer” works if I configure dedicated mapper for mail, name, etc. I specify these mappers with a Friendly Name.
> But this “grouped” import, doesn’t work.
> 
> I hope I could make clear what my problem is and I hope that someone is able to help.


-- 
John Dennis

More information about the keycloak-user mailing list