0

I am trying to use KeyCloak for developing a Service Provider and authenticating against an OpenAM IDP.

I followed these instructions: http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html

My problem now is that after being authenticated I cannot get the user data (such as email, username, roles...)

The userPrinciple seems to be of type SamlPrinciple, not KeycloakPrinciple.

both attributes and friendly attributes are empty.

import org.keycloak.adapters.saml.SamlPrincipal;
import org.keycloak.KeycloakPrincipal;

@Path("/user")
public class User {

    @GET
    @Path("/")
    @Produces({ MediaType.APPLICATION_JSON })
    @Consumes({ MediaType.APPLICATION_JSON })
    public Object info(@Context SecurityContext context) {

        SamlPrincipal userPrincipal = (SamlPrincipal) context
                .getUserPrincipal();

        Set<String> attributeNames = userPrincipal.getAttributeNames();
        Set<String> friendlyNames = userPrincipal.getFriendlyNames();
        ...
    }

Both attributeNames and friendlyNames are empty sets (size=0).

When I look to the communication between the KeyCloak SP and the OpenAP IDP I see a request-response that sends user data:

OpenAM --> KeyCloak user information

How/where can I get this user information from the SamlPrinciple object?

mvermand
  • 5,829
  • 7
  • 48
  • 74

2 Answers2

1

In keycloak under client setting, go to mapper tab. Create new property with name as username and mapper type as userproperty, like wise for email etc . After this you can able to get user details in java filter. example in java 

SamlPrincipal samlPrincipal = (SamlPrincipal) principal;
userName = samlPrincipal.getFriendlyAttribute("username");
Principal principal = httpReq.getUserPrincipal();
Sudharasan D
  • 119
  • 5
0

I have did the same in below way, I have implemented my custom user details object and populated values from SAML Response and mapped each user fields into user object attributes and set the same in Principal of SpringContext.

  1. create your own custom user details object using the class "mrpSAMLUserDetails" .

E.g.

import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;

import org.apache.log4j.Logger;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.schema.impl.XSAnyImpl;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.hierarchicalroles.UserDetailsServiceWrapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;

public class mrpSAMLUserDetails implements SAMLUserDetailsService {

    private static Logger logger = Logger.getLogger(mrpSAMLUserDetails.class);



    @Override
    public Object loadUserBySAML(SAMLCredential mrpSAMLCredential)
            throws UsernameNotFoundException {



        logger.info("mrp custom loaduserBySAML Entered");
        boolean enabled=true,accountNONExpired=true,credentialNONExpired=true,accountNONLocked=true;
        String username = "",password="",role="",fetchRole="Role",sourceOfLogin="";
        //String[] roleArray = null;
        List<String> samlRoles = new ArrayList<String>();

        GrantedAuthority authority = new SimpleGrantedAuthority("mrpnoneROLE");
        List<GrantedAuthority> authoritiesList = new ArrayList<GrantedAuthority>();
        username = mrpSAMLCredential.getNameID().getValue();
        username = username.toLowerCase();
        role= mrpSAMLCredential.getAttributeAsString("Role").toString();
        //String[] roleArray = mrpSAMLCredential.getAttributeAsStringArray(samlRoleName);       
                            authority = new SimpleGrantedAuthority(tempRole);

        authoritiesList.add(authority);

        UserDetails mrpuser=new User(username,password,enabled,accountNONExpired,credentialNONExpired,accountNONLocked,authoritiesList);

        logger.info("mrp custom loaduserBySAML DONE!!!");


        return mrpuser;
    }



}

  1. configure the "mrpSAMLUserDetails" in your spring-security.xml file like..

            <property name="userDetails" ref="mrpcustomuser" />
    <property name="forcePrincipalAsString" value="false"/>

    </bean>
    <bean id="mrpcustomuser" class="com.mrp.sso.security.mrpSAMLUserDetails" />

After this change you can access email,username, role etc from SpringSecurity Principal Object.

meetarun
  • 559
  • 3
  • 6
  • Thanks for your response but we are not using Spring... Just jax-rs (RestEasy) on a JBoss Wildfly and the org.keycloak.adapters.saml.servlet.SamlFilter. – mvermand Jun 01 '16 at 12:15