问题
My setup is:
- EAP 6.4.18
- keycloak-saml adapter
- Third party IdP server (not a keycloak server)
I'm trying to secure one of the web applications inside an EAR. Currently my standalone.xml looks like this:
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.3">
<secure-deployment name="myapp.war">
<SP entityID="https://mydomain/myapp/" sslPolicy="EXTERNAL" nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" logoutPage="/logout.jsp" forceAuthentication="false" isPassive="false" turnOffChangeSessionIdOnLogin="false">
<Keys>
<Key signing="true" encryption="false">
<KeyStore password="pass" file="/path-to/keyStore.jks">
<PrivateKey alias="sp" password="pass"/>
<Certificate alias="sp"/>
</KeyStore>
</Key>
</Keys>
<IDP entityID="...entityID...">
<SingleSignOnService signRequest="true" validateResponseSignature="true" requestBinding="POST" bindingUrl="...sso dinding..." assertionConsumerServiceUrl="https://mydomain/myapp/saml"/>
<SingleLogoutService validateRequestSignature="true" validateResponseSignature="true" signRequest="true" signResponse="true" requestBinding="POST" responseBinding="POST" postBindingUrl="...slo binding..." redirectBindingUrl="...redirect..."/>
<Keys>
<Key signing="true" encryption="false">
<KeyStore password="pass" file="/path-to/keyStore.jks">
<Certificate alias="idp"/>
</KeyStore>
</Key>
</Keys>
</IDP>
</SP>
</secure-deployment>
</subsystem>
This part works just fine. I'm getting redirected to the IdP and I can login. The problem is that my application roles and the ones returned by the IdP do not match.
How can I configure a role mapping between those 2 so that the user has the correct roles in the session?
Ty.
Note:
I've done something like this with the picketlink subsystem. Below I used a properties file to do such mapping. I thought something similar could be done with the keycloak adapter, but the "keycloak-saml:1.1" schema doesn't seem to have a way to select a security-domain.
<security-domain name="my-realm">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/rolesMapping-roles.properties"/>
<module-option name="replaceRole" value="true"/>
</login-module>
</authentication>
With the picketlink subsystem I could select my security domain and the roles mapping would happen.
<service-provider name="myapp.war" security-domain="my-realm"...
回答1:
This is the configuration I was missing:
<RoleMappingsProvider id="properties-based-role-mapper">
<Property name="properties.file.location" value="/opt/mappers/roles.properties"/>
</RoleMappingsProvider>
The implementation class of "properties-based-role-mapper" is: org.keycloak.adapters.saml.PropertiesBasedRoleMapper
More information here: https://www.keycloak.org/docs/latest/securing_apps/#_saml-general-config
The problem was that I was looking at schema version 1.1 which doesn't provide that option. The version 1.3 does, works perfectly.
I hope this question/answer helps someone out there.
Cheers.
来源:https://stackoverflow.com/questions/60977792/how-to-map-third-party-idp-saml-attributes-to-my-local-application-roles-using-k