[keycloak-user] How do I integrate with a SAML federation
chamila
chamila.sujeewa at gmail.com
Tue Jul 30 21:48:18 EDT 2019
Hi,
IIUC I had a similar requirement, described in thread [1], where a SAML
only SP did not support multiple IdPs (in this case, these were different
KeyCloak realms themselves). We arrived at the IdP federation approach
after discussing internally and implemented that successfully, in the
browser flow.
Basically, each realm was added as a separate federated OIDC IdP in a
"broker" realm. A SAML client was created in the broker realm and the SP
was pointed to that. During authentication, the user is shown all the
realms as federated IdP options in the login form, and when selected the
user will be able to authenticate against the required realm. With a set of
mappers associated with each IdP configuration, a well-formed SAML
assertion could be returned to the SP to do role mapping successfully. I
haven't used SATOSA but from a brief glance, looks like SAML<->SAML flow is
the same as what KC provides OOTB.
Hope this helps too :)
[1] - https://lists.jboss.org/pipermail/keycloak-user/2019-July/018721.html
Regards,
Chamila
Blog: medium.com/@chamilad
On Mon, Jul 29, 2019 at 8:34 PM Hannah Short <hannah.short at cern.ch> wrote:
> Hi Stephen,
>
> Was just browsing past threads. You’ve probably solved it by now but
> hopefully this helps others!
>
> We are using a SATOSA proxy to integrate with eduGAIN, which acts as an
> Identity Provider to our Keycloak instance:
> https://github.com/IdentityPython/SATOSA
>
> In addition we use PyFF to handle the metadata:
> https://github.com/IdentityPython/pyFF
>
> The benefit of using these tools is because they are maintained by the
> eduGAIN community and natively support many of the quirks found in Identity
> Federations (both technically and in terms of trust and policy).
>
> Cheers,
> Hannah
>
> On 17 Jun 2019, at 14:48, BOOTH Stephen <s.booth at epcc.ed.ac.uk<mailto:
> s.booth at epcc.ed.ac.uk>> wrote:
>
> I'm wanting configure keycloak to use authenticate against a SAML
> federation (externally curated set of IdPs) rather than a single SAML
> IdP. Specifically I want to support EduGAIN.
>
> Is this something that keycloak supports natively? The form for
> configuring a SAML Identity provider appears to assume a single IdP.
>
> If not, does anyone have any suggestions for the best approach to
> bridging a shibboleth SP into something keycloak can use as an Identity
> provider.
>
> Stephen
>
> --
> ======================================================================
> |epcc| Dr Stephen P Booth Principal Architect |epcc|
> |epcc| s.booth at epcc.ed.ac.uk<mailto:s.booth at epcc.ed.ac.uk> Phone
> 0131 650 5746 |epcc|
> ======================================================================
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list