Support for Keycloak SAML Client creation #326
Assignees
Labels
enhancement
New feature or request
Comments
This was referenced Apr 3, 2024
5 tasks
rjferguson21
added a commit
that referenced
this issue
Apr 19, 2024
…operator (#328) ## Description Add support for saml protocol and attributes and protocolMappers support for keycloak clients. ## Related Issue Relates to #326 Relates to #305 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Rob Ferguson <rjferguson21@gmail.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
|
We ended up going a different direction with protocol mappers. Instead of exposing them through the spec here, we built some client scopes that bring mappers with them into the keycloak realm in uds-identity-config. A PR showing this pattern is here: defenseunicorns/uds-identity-config#57 And a client can reference them using the defaultScopes in the spec to get the mappers. |
rjferguson21
added a commit
that referenced
this issue
Jul 11, 2024
…operator (#328) ## Description Add support for saml protocol and attributes and protocolMappers support for keycloak clients. ## Related Issue Relates to #326 Relates to #305 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Rob Ferguson <rjferguson21@gmail.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updates to uds-core to support creation of saml clients in Keycloak, in addition to the existing support for OIDC clients.
Describe the solution you'd like
protocol: samlin the sso spec. The protocol field should be optional and restricted to eitheropenid-connectorsaml(default toopenid-connect)Allow specifying protocl mappers. This is also needed for Keycloak client mappers configuration #305 and there are additional mappers needed for saml.saml.client.signatureDescribe alternatives you've considered
Considered using OIDC instead but some apps don't support it (sonarqube) and we are going forward with gitlab as well.
Additional context
Below is an example request to the keycloak client-registration endpoint showing everything that is required to configure a saml client for sonarqube, this should illustrate the details listed above.
{ "clientId": "sonarqube", "name": "sonarqube", "redirectUris": [ "https://sonarqube.uds.dev/oauth2/callback/saml" ], "webOrigins": [ "https://sonarqube.uds.dev" ], "protocol": "saml", "attributes": { "saml.client.signature": "false" }, "protocolMappers": [ { "name": "Name", "protocol": "saml", "protocolMapper": "saml-user-property-mapper", "consentRequired": false, "config": { "user.attribute": "Username", "attribute.nameformat": "Basic", "attribute.name": "name" } }, { "name": "Email", "protocol": "saml", "protocolMapper": "saml-user-property-mapper", "consentRequired": false, "config": { "user.attribute": "Email", "attribute.nameformat": "Basic", "attribute.name": "email" } }, { "name": "Login", "protocol": "saml", "protocolMapper": "saml-user-property-mapper", "consentRequired": false, "config": { "user.attribute": "Username", "attribute.nameformat": "Basic", "attribute.name": "login" } } ], "defaultClientScopes": [], "optionalClientScopes": [] }The text was updated successfully, but these errors were encountered: