saml适配器将第三方IdP

saml适配器将第三方IdP

本文介绍了如何使用keycloak-saml适配器将第三方IdP SAML属性映射到我的本地应用程序角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的设置是:

  • EAP 6.4.18
  • keycloak-saml适配器
  • 第三方IdP服务器(不是密钥斗篷服务器)

我正在尝试保护EAR内的一个Web应用程序的安全.目前,我的standalone.xml如下所示:

I'm trying to secure one of the web applications inside an EAR. Currently my standalone.xml looks like this:

<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.3">
    <secure-deployment name="myapp.war">
        <SP entityID="https://mydomain/myapp/" sslPolicy="EXTERNAL" nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" logoutPage="/logout.jsp" forceAuthentication="false" isPassive="false" turnOffChangeSessionIdOnLogin="false">
            <Keys>
                <Key signing="true" encryption="false">
                    <KeyStore password="pass" file="/path-to/keyStore.jks">
                        <PrivateKey alias="sp" password="pass"/>
                        <Certificate alias="sp"/>
                    </KeyStore>
                </Key>
            </Keys>
            <IDP entityID="...entityID...">
                <SingleSignOnService signRequest="true" validateResponseSignature="true" requestBinding="POST" bindingUrl="...sso dinding..." assertionConsumerServiceUrl="https://mydomain/myapp/saml"/>
                <SingleLogoutService validateRequestSignature="true" validateResponseSignature="true" signRequest="true" signResponse="true" requestBinding="POST" responseBinding="POST" postBindingUrl="...slo binding..." redirectBindingUrl="...redirect..."/>
                <Keys>
                    <Key signing="true" encryption="false">
                        <KeyStore password="pass" file="/path-to/keyStore.jks">
                            <Certificate alias="idp"/>
                        </KeyStore>
                    </Key>
                </Keys>
            </IDP>
        </SP>
    </secure-deployment>
</subsystem>

这部分工作正常.我将重定向到IdP,并且可以登录.问题是我的应用程序角色和IdP返回的角色不匹配.

This part works just fine. I'm getting redirected to the IdP and I can login. The problem is that my application roles and the ones returned by the IdP do not match.

如何在这2个之间配置角色映射,以便用户在会话中具有正确的角色?

How can I configure a role mapping between those 2 so that the user has the correct roles in the session?

Ty.

注意:

我用picketlink子系统做了类似的事情.下面,我使用属性文件进行此类映射.我以为可以使用keycloak适配器完成类似的操作,但是"keycloak-saml:1.1"模式似乎没有选择安全域的方法.

I've done something like this with the picketlink subsystem. Below I used a properties file to do such mapping. I thought something similar could be done with the keycloak adapter, but the "keycloak-saml:1.1" schema doesn't seem to have a way to select a security-domain.

<security-domain name="my-realm">
<authentication>
    <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="optional">
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
    <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
        <module-option name="password-stacking" value="useFirstPass"/>
        <module-option name="rolesProperties" value="${jboss.server.config.dir}/rolesMapping-roles.properties"/>
        <module-option name="replaceRole" value="true"/>
    </login-module>
</authentication>

使用picketlink子系统,我可以选择我的安全域,然后角色映射就会发生.

With the picketlink subsystem I could select my security domain and the roles mapping would happen.

<service-provider name="myapp.war" security-domain="my-realm"...

推荐答案

这是我所缺少的配置:

​<RoleMappingsProvider id="properties-based-role-mapper">
       ​<Property name="properties.file.location" value="/opt/mappers/roles.properties"/>
​</RoleMappingsProvider>

基于属性的角色映射器"的实现类是:org.keycloak.adapters.saml.PropertiesBasedRoleMapper

The implementation class of "properties-based-role-mapper" is: org.keycloak.adapters.saml.PropertiesBasedRoleMapper

此处的更多信息: https://www.keycloak. org/docs/latest/securing_apps/#_ saml-general-config

问题是我正在查看不提供该选项的架构版本1.1. 1.3版确实可以正常运行.

The problem was that I was looking at schema version 1.1 which doesn't provide that option. The version 1.3 does, works perfectly.

我希望这个问题/答案可以帮助那里的某个人.

I hope this question/answer helps someone out there.

干杯.

这篇关于如何使用keycloak-saml适配器将第三方IdP SAML属性映射到我的本地应用程序角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-01 19:10