I am using keycloak 14.0.0 and trying to map the groups attribute present in the saml response to a role. But it doesn't seem to be working. My mappers for firstName and lastName do work however.
Here is the SAML response to keycloak:
<saml:Attribute Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/j1-general-operator</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/j2-general-operator</saml:AttributeValue>
</saml:Attribute>
Here is my mapper:
Slash was getting added before the group name because of a toggle option (for showing full path) in keycloak mappers. After changing that toggle, slash got removed and it started working.
Related
I am trying to enable SSO capabilities for Apache Zeppelin, using Apache Knox, which is configured to redirect auth requests to a Siteminder IdP.
The issue I am having is related to the NameID format configuration, and the signing configuration.
No matter what I configure in the sp/idp metadata, the NameID format used is
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
And the requests are always being sent with Signed requests set to true.
My SP configuration is as follows:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" isDefault="true" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
</SPSSODescriptor>
I activated a SAML tracer and attempted the logon user journey. The AuthNRequest being sent to the Siteminder IdP based on this configuration looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
Destination="https://test-siteminder.com/test/saml2sso"
ForceAuthn="false"
ID="_yp52mio0oj4ho2niijmnnaikgbkid9tnc5h5ear"
IsPassive="false"
IssueInstant="2020-02-17T10:19:24.279Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
>https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client</saml2:Issuer>
I can see a signature value in the Parameters section of the request, which is why I'm assuming that the AuthNRequest is signed (though my understanding of this is minimal, so that could be a wrong assumption!).
Can anyone help explain why the NameIDFormat is coming through as entity, as opposed to unspecified?
Does Apache knox support SAML1 protocols?
Thanks in advance!
You mentioned NameID format to be urn:oasis:names:tc:SAML:2.0:nameid-format:entity in your post but in the code you pasted it is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, just a copy paste error ? Looks like protocolSupportEnumeration is also referencing SAML 1 protocol. Knox uses Pac4J under the hood which does not support SAML 1, this might be the reason.
I am working with the SudsLibrary for Robot Framework. Below is the Rq/Rs for the webservice I'm testing. You will also find the Robot Framework info and my comment on what's going on.
REQUEST
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://localhost/ABC/Services/Security/">
<soapenv:Header/>
<soapenv:Body>
<sec:AuthUser>
<sec:userName>MyAdmin</sec:userName>
<sec:password>Password123</sec:password>
</sec:AuthUser>
</soapenv:Body>
</soapenv:Envelope>
RESPONSE
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.ompum-open.org/wss/2004/01/ompum-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.ompum-open.org/wss/2004/01/ompum-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
...
</soap:Header>
<soap:Body>
<AuthUserResponse xmlns="http://localhost/ABC/Services/Security/">
<AuthTicket>k3l5d9k6-3z53-8765-b512-df09as87</AuthTicket>
</AuthUserResponse>
</soap:Body>
</soap:Envelope>
*** Settings ***
Library SudsLibrary
*** Test Case ***
Check App Auth Ticket
Create Soap Client http://localhost/Services/Authentication.asmx?wsdl
${WSDLobj} Create Wsdl Object AuthUser
Set Wsdl Object Attribute ${WSDLobj} userName MyAdmin
Set Wsdl Object Attribute ${WSDLobj} password Password123
${result} Call Soap Method AuthUser ${WSDLobj}
log Result: ${result}
# Now get the specific element from the response
${AuthVal} Get Wsdl Object Attribute ${result} AuthTicket
log Auth Ticket: ${AuthVal}
Everything is successful in my test case Check App Auth Ticket until I call the SudsLibrary Get Wsdl Object Attribute keyword. The following error occurs: ValueError: Object must be a WSDL object (suds.sudsobject.Object). Why would I get an error when the object is created and is called successfully?
When I print out the ${result} variable, it is the value for AuthVal. However, I am wanting to explicitly extract a specific value / element from the web service response. I have other web service responses that will require me to parse this data for my end to end testing.
Using PowerShell I can easily get know "BookInPolicy" state in the room by executing command Get-CalendarProcessing -Identity "ROOM_NAME" | Format-List
But question is perfoming something like that by using EWS manage api.
I spent a lot of time exploring this issue in the internet and unfortunately i found nothing. Is it realy posible to do? I hope you gave me some useful advices or solution.
By using the GetUserConfiguration EWS request you can obtain some of the BookInPolicy information.
E.g. by sending the following request for a meeting room's calendar
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2"/>
</soap:Header>
<soap:Body>
<m:GetUserConfiguration>
<m:UserConfigurationName Name="Calendar">
<t:DistinguishedFolderId Id="calendar">
<t:Mailbox>
<t:EmailAddress>room#company.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:UserConfigurationName>
<m:UserConfigurationProperties>All</m:UserConfigurationProperties>
</m:GetUserConfiguration>
</soap:Body>
</soap:Envelope>
you will obtain a dictionary of information containing (among others) the following two fields
<t:DictionaryEntry>
<t:DictionaryKey>
<t:Type>String</t:Type>
<t:Value>AllBookInPolicy</t:Value>
</t:DictionaryKey>
<t:DictionaryValue>
<t:Type>Boolean</t:Type>
<t:Value>false</t:Value>
</t:DictionaryValue>
</t:DictionaryEntry>
<t:DictionaryEntry>
<t:DictionaryKey>
<t:Type>String</t:Type>
<t:Value>BookInPolicy</t:Value>
</t:DictionaryKey>
<t:DictionaryValue>
<t:Type>StringArray</t:Type>
<t:Value>75480a35-de48-46ad-8378-7c66137de736</t:Value>
<t:Value>498e21e9-1d88-4254-bea0-8d976c3e451d</t:Value>
<t:Value>08ffb1dd-64b8-438f-a924-ac3782975abf</t:Value>
</t:DictionaryValue>
</t:DictionaryEntry>
The downside is that I don't know how to query the IDs received for BookInPolicy.
You can obtain some permission information by using a GetFolder request
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2"/>
</soap:Header>
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="calendar">
<t:Mailbox>
<t:EmailAddress>room#company.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
and reviewing the returned permission set but I didn't find any way to connect the permission information to the BookInPolicy IDs. (sample permission below)
<t:CalendarPermission>
<t:UserId>
<t:SID>S-1-5-21-799214634-780288877-1039276024-11759</t:SID>
<t:PrimarySmtpAddress>group#company.com</t:PrimarySmtpAddress>
<t:DisplayName>group</t:DisplayName>
</t:UserId>
<t:CanCreateItems>false</t:CanCreateItems>
<t:CanCreateSubFolders>false</t:CanCreateSubFolders>
<t:IsFolderOwner>false</t:IsFolderOwner>
<t:IsFolderVisible>true</t:IsFolderVisible>
<t:IsFolderContact>false</t:IsFolderContact>
<t:EditItems>None</t:EditItems>
<t:DeleteItems>None</t:DeleteItems>
<t:ReadItems>FullDetails</t:ReadItems>
<t:CalendarPermissionLevel>Reviewer</t:CalendarPermissionLevel>
</t:CalendarPermission>
During a AuthnRequest, is there a case where the AudienceRestriction
<saml:AudienceRestriction>
<saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>
would be different from the Issuer in the AuthnRequest
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication"
Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-20T14:48:27.620Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
</saml2p:AuthnRequest>
The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):
The assertion(s) containing a bearer
subject confirmation MUST contain an
AudienceRestriction including the
service provider's unique identifier
as an Audience
So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.
Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.
I am trying connecting PHP soap server with client written in C#.
WSDL is created in that way:
$autodiscover = new Zend_Soap_AutoDiscover('Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex');
$autodiscover->setClass('Soap_Service1');
$autodiscover->handle();
then I receive:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.xx.de/soap/version/1"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
targetNamespace="http://www.xx.de/soap/version/1"
name="Soap_Services1"
>
this 'name="Soap_Services1"' attribute parsed in C# looks ugly (Services.Soap_Services1Service). Of course name is connected with ServiceBinding and PortType. Is there any way to change it without manually hacking zend library?
Yes. Just rename your service class ;)
$autodiscover->setClass('CoolServiceName');
will give you
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.xx.de/soap/version/1"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
targetNamespace="http://www.xx.de/soap/version/1"
name="CoolServiceName"
>
Since you're using the autodiscover / magical soap service creator, you can't override the names it creates as-is.
If you want to do this you can extend Zend_Soap_AutoDiscover and implement your own setClass method that uses your own name choice while generating the wsdl.
All you need to do is rename your service class (the one set by the setClass() call) and you're good.