[keycloak-user] SAML Attributes using a general Attribute Importer doesn't work with specific IDP
John Dennis
jdennis at redhat.com
Wed Jul 17 11:00:40 EDT 2019
On 7/17/19 10:40 AM, Kevin Kaminski wrote:
> Hi John,
>
> I didn't paste everything on purpose, just wanted to show the difference in the namespace. However, as I
I don't see any problems with the XML. The difference in namespace name
between any two XML documents is irrelevant as long as namespace is
properly defined in the XML document, in this case you can see the
"saml" namespace is defined in the top Response element:
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
The only difference I see between the two examples you cited is in the
failing case the <Attribute> element includes a NameFormat attribute and
the <AttributeValue> elment contains a type attribute. Both are legal.
Perhaps keycloak doesn't know to deal with these attributes, but if so I
would expect an error to be logged in the server log. Did you check the
log? That's as much help as I can offer, perhaps someone with a better
knowledge of how the Assertion is parsed internally by Keycloak can shed
more light.
--
John Dennis
More information about the keycloak-user
mailing list