[keycloak-user] SAML Attributes using a general Attribute Importer doesn't work with specific IDP
Kevin Kaminski
kevin.kaminski at movingimage.com
Wed Jul 17 10:40:27 EDT 2019
Hi John,
I didn't paste everything on purpose, just wanted to show the difference in the namespace. However, as I
Kevin Kaminski
IT- Projektmanager
movingimage EVP GmbH
Stralauer Allee 7 | 10245 Berlin – Germany
Tel: +49 (0)30.330 9660.330
Fax: +49 (0)30.330 9660.99
www.movingimage.com
Berlin | Tokyo | San Francisco | New York
Limited liability company based in Berlin
District court Berlin-Charlottenburg | HRB 94436 B
Managing directors: Dr. Rainer Zugehör, Erdal Ahlatci
Board of directors: Daniel Wild, Felix Artmann, Jörg Binnenbrücker, Tim Kindt, Dr. Dirk Schmücking, Russell Zack
am not able to easily check the logs now, I pasted the complete XML below:
Many thanks in advance,
Kevin
-------
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:idbus" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns7="urn:org:atricore:idbus:common:sso:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://auth-evp.movingimage.de/auth/realms/master/broker/uit/endpoint" IssueInstant="2019-07-17T11:42:32.920Z" Version="2.0" InResponseTo="ID_727b483a-4aef-4292-8cc1-d84ad6e11085" ID="idE205227EDA4460">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso-abnahme.movingimage.de/IDBUS/SSO-ABN/VP01-IDP-PROXY/SAML2/MD</saml:Issuer>
<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#idE205227EDA4460">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wlATRJxJb8aDoReCV4/c1qJVKtA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>AWe0qApZ05BFIj4O3QHS8QznNlX34sIUexmJ8x/83ioRFtPEla6wrcEQLLAueED5XOyeSMx9BRzAthFaqFI1YLkrIDkx+sUSIALuUrgMjYHwldkGy4PaTWwmBPCwY2QdM0rKohFPh9G5V3UR+7wZ3TXRtHU6LXiyKLBjU19IhJJ37YDlCHZXLR2tMtcJklw0q/VCOIFGfzViN9cxvdiZOnWxzonN/Nw0FZMgY0nCkQZTb96RikK2ZBr2wNGu4Nw020Slgrfj8IO9gnLW8Yp3bvHQLyWimNfL2eKg9VTj8TBETf5XC99oH+k8ZHK+duFYEhfLL/24Lx8GQpbrQxyRkGUD9zFoRtaJ9EtagTlCQz4uHbTtFynyIDcD2WbNTey3mCePxcTwfluJ+J2k2JL8L89FLdLKTP6m/XZQAUPS4vixVNxM+qjntyXSxT39NV2qEdRJU3oq7ej6tecDXXmp2ETowNwS8+tBGfcwHVkpAwDiIEGWl/QrdihfManvKHNI45Brqyl/0N+HbbiCMuIbuEG+qaOmmZOoKDi/g0wVGqIW7XVUd+EVsFHXbgQXrRt10bt4w4vF6NW+DDL20PU122kwUGKI80Ttms8tlkB/5dJFC2ssKx66BGRHDc13ODWUu0vcJkdj+Z6qGkfJaTuSeqhmFVW4Jf0k7yvIIl+FV4E=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFrTCCA5WgAwIBAgIEUcavTzANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxEDAOBgNVBAgTB1Vua25vd24xEjAQBgNVBAcTCUZyYW5rZnVydDEZMBcGA1UEChMQVW5pb24gSW52ZXN0bWVudDEMMAoGA1UECxMDVUlUMSgwJgYDVQQDEx9zc28tYWJuYWhtZS51bmlvbi1pbnZlc3RtZW50LmRlMB4XDTE5MDUxNTE1MTMyMFoXDTI5MDUyNzE1MTMyMFowgYYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdVbmtub3duMRIwEAYDVQQHEwlGcmFua2Z1cnQxGTAXBgNVBAoTEFVuaW9uIEludmVzdG1lbnQxDDAKBgNVBAsTA1VJVDEoMCYGA1UEAxMfc3NvLWFibmFobWUudW5pb24taW52ZXN0bWVudC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI7DJ7C9LKbKpyV2nmt6oTSvutW6b7i7M5KQK+lIu7tdllMkX/kx7X8CgzK1fqByZvFKnuvwJo+zPyOZBFvrgcBhbZkGbt+o6V0NMhmYveQ2VBu1UEEEBIG+2E0nW1P0TBgucBbvOwtNT1r+180DZ9efXbN0FIywJQzgrrvHAUXVYAO60jcC6WtyiFgyIKDztSawgS4K9tAWNgCJ+wjiGc3tnLsEvnHHDg4fNnFrRf2KGQevWyxJ1NZLnMbe5f0UnBCtv/d1siruje9zsXsBfO9RTdlYPXkrKB6woYSiZelKtHojMdOSv8EVDd+8YmXUulZO/dpfnndZ/gJyhX49TDQl8URVEcuNd8FmGRAL+t+cXx3qWIDz7AnkE+ZR8Ujy/084M23BdTPffb9nsn8FaH14UnHoywshSsg+EUyFfRD+XICQ5eu48WG4YDNpqFtCU60OFDQm5nx6cyxk74bhcYauQIMghBwMH1yiZa2zBEsFVPhY0lU6X/0kCw3aYQ5pSY+tEZE2VLE5+7YLkpgvuVx+wYQemoRPM6xFRPgB95ZdZfLzM76GFf2xtvt9Obc1Cct2/r/xpY01ZcfVC10CNFMlkJgCfhlVzzGpgiQJ7vt6ft6tUBlM54wNAvd640J7NSSowrO5aSKBnTPSFA1YkBAWA0yv1Z3gisb1KIG0zmiNAgMBAAGjITAfMB0GA1UdDgQWBBSgVT75p1EqrRQWA/fabZS0SATz0jANBgkqhkiG9w0BAQsFAAOCAgEAf/McvAhgdgtgPEL//OdB0sGUdXfIaxxjPrU0mGBUomiUib0icXJbwbwUiI5SbYtbwddYGqG5jovmJP49kZ90r334C53EOM74jg3KVKtrzBRe39pPHxMIHyWJfLyZWOO22Q9XLpIBtEb7D7D7s7q0kxaxcgXhBT5K9CEVjML3d0Y34kc910o3/9JHc48qWrMJaLsTWoap42pz67dDjU+9ghAcUMmaPGVIk1VqBxW9H04dLzTuLFtQb8MSv0LDxm23KM+CTGnDzygQ8Y02cl2Up58d6ZomPIbUCtxkz0+1dvANN5iDl2k5fCpsAyrNbdxdRoDL27kyo8iokoMOtymQAm2LQiAw5em9Bu8UfxiZ7JnvZH2QDjsRuMPB8nj1/CZsteGXm41ECFVdfLUDSNNHtosoFLVkII7MAvTebbFOUIBv16Rw06KxsrBGnLSH/2rKJx/AK/00aD/BOjt0o0SbrlugykmHXJvKDLt+Ywa18Ea3ixP8A8uM5LDCC0plkd659Nvv/eEhr3KbZUjZ5xIKbIhXiiUEHr6s+TSKSSmmnUp24eoltawmyebUMSasCDsBER/VArIFfnhC2ulUXqrtFmi4qw1qQTSLnyd7UkWNgFPUd4lW/ZI3v2sUQ68AgBjKObtdSX3I4HegHznbEkZk4htq/HIVPNjeIgY9+jfS3Do=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion IssueInstant="2019-07-17T11:42:32.398Z" ID="id0585E4B155E46D" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso-abnahme.movingimage.de/IDBUS/SSO-ABN/VP01-IDP-PROXY/SAML2/MD</saml:Issuer>
<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#id0585E4B155E46D">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ZTBe1/VGMBBtRFNnbzKoihwsiPo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>f/fkkv1I/244MV/FUDyajpn4u+GNztlACS6pM1uYvtfRDNTGRYf2VOzQOQ5T7Dso1LlX91iwGzZHxow1RsEj5dxVCJc2g9So16kguJD4VcjtNpZQzE2axdUe7THMPYsrPEfh50xCBccRsGmK6ymVUh14TgKL7+0wcIsd4TqO3BP0REhZuhW0ylTM9/Olj8Si2l2hiyIBcdsqVIaUu3cVhqIVCiVehYfeFJltG+rZ+ZawL7Z+CK9ei6QYyy76UTEoOGTnpaIivQulDtRHV9XeeccKpBW+CSjWLeC9m7k9UTNggpBbN1EE3eaRk0iUqUbDZG03gxl2JrRjKwIkf1piOtD0vzLRirjXEEVR/N69NoJbMrdFkcV5HIbuiPURpZFRZaaa3nmy1uxd9v965/afE4uy/L+sPguIVIa15O/R8H2z74jnPGgIcuxedbSx7G+Q5263UL4lzqzVaSz471Gg3dtdgKOQRktevACelJDqkPT/QCBOmVAnAn98zHX+CklATrI6BDOhL75hSi2DMuaSLUN4q4ejUM595n8oOt2/rPrNvIi5CJjrTnGpjDQN8x51eYBe2hRUR5h6nt5i/iu3aLTuUUhfh1K+gxlVg8ZFJCbOmlbidBip2IremAioOiwiXsO/C5jqEsguUS8BecqGmHZFIgjkblyiRbnvRjYXIBQ=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFrTCCA5WgAwIBAgIEUcavTzANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxEDAOBgNVBAgTB1Vua25vd24xEjAQBgNVBAcTCUZyYW5rZnVydDEZMBcGA1UEChMQVW5pb24gSW52ZXN0bWVudDEMMAoGA1UECxMDVUlUMSgwJgYDVQQDEx9zc28tYWJuYWhtZS51bmlvbi1pbnZlc3RtZW50LmRlMB4XDTE5MDUxNTE1MTMyMFoXDTI5MDUyNzE1MTMyMFowgYYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdVbmtub3duMRIwEAYDVQQHEwlGcmFua2Z1cnQxGTAXBgNVBAoTEFVuaW9uIEludmVzdG1lbnQxDDAKBgNVBAsTA1VJVDEoMCYGA1UEAxMfc3NvLWFibmFobWUudW5pb24taW52ZXN0bWVudC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI7DJ7C9LKbKpyV2nmt6oTSvutW6b7i7M5KQK+lIu7tdllMkX/kx7X8CgzK1fqByZvFKnuvwJo+zPyOZBFvrgcBhbZkGbt+o6V0NMhmYveQ2VBu1UEEEBIG+2E0nW1P0TBgucBbvOwtNT1r+180DZ9efXbN0FIywJQzgrrvHAUXVYAO60jcC6WtyiFgyIKDztSawgS4K9tAWNgCJ+wjiGc3tnLsEvnHHDg4fNnFrRf2KGQevWyxJ1NZLnMbe5f0UnBCtv/d1siruje9zsXsBfO9RTdlYPXkrKB6woYSiZelKtHojMdOSv8EVDd+8YmXUulZO/dpfnndZ/gJyhX49TDQl8URVEcuNd8FmGRAL+t+cXx3qWIDz7AnkE+ZR8Ujy/084M23BdTPffb9nsn8FaH14UnHoywshSsg+EUyFfRD+XICQ5eu48WG4YDNpqFtCU60OFDQm5nx6cyxk74bhcYauQIMghBwMH1yiZa2zBEsFVPhY0lU6X/0kCw3aYQ5pSY+tEZE2VLE5+7YLkpgvuVx+wYQemoRPM6xFRPgB95ZdZfLzM76GFf2xtvt9Obc1Cct2/r/xpY01ZcfVC10CNFMlkJgCfhlVzzGpgiQJ7vt6ft6tUBlM54wNAvd640J7NSSowrO5aSKBnTPSFA1YkBAWA0yv1Z3gisb1KIG0zmiNAgMBAAGjITAfMB0GA1UdDgQWBBSgVT75p1EqrRQWA/fabZS0SATz0jANBgkqhkiG9w0BAQsFAAOCAgEAf/McvAhgdgtgPEL//OdB0sGUdXfIaxxjPrU0mGBUomiUib0icXJbwbwUiI5SbYtbwddYGqG5jovmJP49kZ90r334C53EOM74jg3KVKtrzBRe39pPHxMIHyWJfLyZWOO22Q9XLpIBtEb7D7D7s7q0kxaxcgXhBT5K9CEVjML3d0Y34kc910o3/9JHc48qWrMJaLsTWoap42pz67dDjU+9ghAcUMmaPGVIk1VqBxW9H04dLzTuLFtQb8MSv0LDxm23KM+CTGnDzygQ8Y02cl2Up58d6ZomPIbUCtxkz0+1dvANN5iDl2k5fCpsAyrNbdxdRoDL27kyo8iokoMOtymQAm2LQiAw5em9Bu8UfxiZ7JnvZH2QDjsRuMPB8nj1/CZsteGXm41ECFVdfLUDSNNHtosoFLVkII7MAvTebbFOUIBv16Rw06KxsrBGnLSH/2rKJx/AK/00aD/BOjt0o0SbrlugykmHXJvKDLt+Ywa18Ea3ixP8A8uM5LDCC0plkd659Nvv/eEhr3KbZUjZ5xIKbIhXiiUEHr6s+TSKSSmmnUp24eoltawmyebUMSasCDsBER/VArIFfnhC2ulUXqrtFmi4qw1qQTSLnyd7UkWNgFPUd4lW/ZI3v2sUQ68AgBjKObtdSX3I4HegHznbEkZk4htq/HIVPNjeIgY9+jfS3Do=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">44444-kki</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_727b483a-4aef-4292-8cc1-d84ad6e11085" Recipient="https://auth-evp.movingimage.de/auth/realms/master/broker/uit/endpoint" NotOnOrAfter="2019-07-17T11:47:32.398Z" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2019-07-17T11:47:32.398Z" NotBefore="2019-07-17T11:37:32.398Z">
<saml:AudienceRestriction>
<saml:Audience>https://auth-evp.movingimage.de/auth/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionNotOnOrAfter="2019-07-17T17:42:32.398Z" SessionIndex="id-253c748e-f363-43ae-84c8-e68a3aef9436" AuthnInstant="2019-07-17T11:42:32.398Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="OI_LOGIN_FAILED" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="OI_LOGIN_FAILED">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">0</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_UUKEY" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_UUKEY">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">7F7C1A25638B519AE05402082055A8B5</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="OI_PASSWORT_STATUS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="OI_PASSWORT_STATUS">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
</saml:Attribute>
<saml:Attribute FriendlyName="BA_BLZ" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="BA_BLZ">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">22222222</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="org:atricore:idbus:sso:sp:idpName_proxied" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="org:atricore:idbus:sso:sp:idpName_proxied">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">uitidp01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Mitarbeiter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="org:atricore:idbus:sso:sp:authnCtxClass_proxied" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="org:atricore:idbus:sso:sp:authnCtxClass_proxied">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="org:atricore:idbus:sso:sp:idpAlias_proxied" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="org:atricore:idbus:sso:sp:idpAlias_proxied">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">https://sso-abnahme.movingimage.com.de/IDBUS/SSO-ABN/UITIDP01/SAML2/MD</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_EMAIL">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">kevin.kaminski at movingimage.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="OI_ONLINEMITARBEITERID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="OI_ONLINEMITARBEITERID">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">44444-kki</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">iwpilot</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Basiszugriff UnionOnline</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Mitarbeiter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_GENOUSERID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_GENOUSERID">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
</saml:Attribute>
<saml:Attribute FriendlyName="MA_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_NAME">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Kaminski</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="MA_VORNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_VORNAME">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Kevin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Am 17.07.19, 14:44 schrieb "John Dennis" <jdennis at redhat.com>:
On 7/17/19 8:00 AM, Kevin Kaminski wrote:
> Hello 😊
>
> I am writing the first time to this list so I hope I am doing everything correctly.
>
> But here’s what I need help with:
>
> Fits of all, we are using Keycloak version 5.0.0. in our company.
> I am trying a little bit around with the “Attribute Importer” in Keycloak, because I want to receive all SAML Attributes that get delivered via the Identity Providers SAML response, listed in one and the same attribute. And that works actually after I configured the Mapper Type “Attribute Importer”. I can see in Keycloak in my user account > Attributes that all of the Attributes are imported (such as groups, name, first name, mail address) and the will be listed in one grouped attribute (not sure if there is another official name for it)
>
> The way I configured the mapper is:
>
> * Name: saml_attributes
> * Mapper Typ: Attribute Importer
> * Attribute Name: empty
> * Friendly Name: empty
> * User Attribute Name: saml_attributes
>
>
> Now I configured a customer IDP (it’s called JOSSO) and I did the exact same configuration of the Attribute Importer. However, Keycloak could not import all SAML attributes.
> After investigation I could see the structure of the SAML response is different between both IDPs:
>
> The one that works (ADFS) looks like this:
>
> <AttributeStatement>
> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
> <AttributeValue>kevin.kaminski at movingimage.com</AttributeValue<mailto:kevin.kaminski at movingimage.com%3c/AttributeValue>>
>
>
>
> The one the importer doesn’t work:
>
> <saml:Attribute FriendlyName="MA_EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MA_EMAIL">
> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Did you forget to paste the entire xml element into the email because
this is a not a complete AttributeValue element?
> Is it possible that “saml:” is the reason Keycloak can’t properly import it?
Only if the "saml" namespace tag was not declared earlier via
xmlns:saml= but then you should have gotten an xml parsing error logged.
My suggestion would be to check the server log for errors and/or paste
more complete xml from the assertion.
>
> Note: In general the “Attribute Importer” works if I configure dedicated mapper for mail, name, etc. I specify these mappers with a Friendly Name.
> But this “grouped” import, doesn’t work.
>
> I hope I could make clear what my problem is and I hope that someone is able to help.
--
John Dennis
More information about the keycloak-user
mailing list