Hello,
my SAML IDP returns a list of user roles under attribute “roles”, in the SAML response. It appears “roles” is not the standard attribute name for roles information (standard being “Role”?), and the roles listed in the SAML response are not mapped into Principal roles by the adapter.
Is there a way how I can define my custom role mapping on the adapter / application side, without modifying the IDP behaviour?
I’m using Keycloak SAML adapter in EAP.
The problem manifests in the way that if I define any role in the web.xml constraint:
<security-constraint>
...
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<role-name>user</role-name>
</security-role>
the user is not authorized to access the restricted resource. If I allow any roles in the constraint:
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
then the access is permitted.