[keycloak-user] Meraki SP

Aaron Echols aechols at bfcsaz.com
Tue May 21 16:55:23 EDT 2019 

I was able to resolve this by mapping global Roles with the appropriate
names to the client scope, disabling full scope and assigning the roles.
They match exactly the name as I use them in Meraki.

I then created a Role Mapper with Role list type. The Role attribute name
is: role, friendly name: Role and used SAML Attribute NameFormat: Basic and
enable Single Role Attribute.

I'm able to login properly now and the snippet below is what the proper
role attribute looks like in SAML:

<saml:Attribute FriendlyName="Role" Name="role" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT </
saml:AttributeValue>

I was missing the Name="role" part of the attribute with the User
Properties and User Attributes, which broke login. All user roles can now
login properly to Meraki with the proper rights. :)
--
Aaron Echols

On Thu, Apr 25, 2019 at 5:45 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi,
>
> I just wanted to see if anyone had any other ideas about this. Thanks! :)
> --
> Aaron Echols
>
> On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Hello All,
>>
>> I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
>> Keycloak be setup for idP initiated SSO, which I've configured. I have
>> everything working great, but I'm running into an issue where Keycloak will
>> not passthrough a SAML attribute using mappers.
>>
>> Per the docs here:
>> https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard
>>
>> I need to pass a role attribute through that matches what I've setup as
>> the SAML Administrator Roles in Meraki. I've done that and have a role
>> setup as IT, Management, etc.
>>
>> In Active Directory the 'department' attribute is set to the role that is
>> needed. I've created the federated mapper 'dept' that is mapped to
>> 'department' in AD. Users in Keycloak have that attribute populated
>> successfully with the correct data.
>>
>> In the client for Meraki, I've created a mapper name '
>> https://dashboard.meraki.com/saml/attributes/role' and set the it as a
>> 'user property' with a property of 'dept' and a general friendly name and
>> then set the 'SAML Attribute Name' to role.
>>
>> Looking at the SAML login, this never is passed through at all. The only
>> way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
>> Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
>> https://dashboard.meraki.com/saml/attributes/role', it will then login
>> successfully to Meraki. There are other groups that will be logging into
>> Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
>> transaction when hardcoding the attribute:
>>
>> <saml:Attribute
>>                 FriendlyName="Department"
>>                 Name="role"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>>                 <saml:AttributeValue
>>                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
>>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>> "
>>                     xsi:type="xs:string">IT
>> </saml:AttributeValue>
>>
>> I've never had this issue of passing other attributes through before, can
>> anyone let me know if I'm going about this wrong and if so, what am I
>> missing? Thanks :)
>> --
>> Aaron Echols
>>
>

More information about the keycloak-user mailing list