SAML response Role Attribute containing (unexpected?) AttributeValue roles

anitabee · April 16, 2020, 5:26pm

Hi all,

I’m using Keycloak 9.0.2 and trying to set up SSO for AWS using SAML client protocol.
I’ve configured SAML aws client, role for this client and few mappers.
But if I configure mapper type Role List as in pic bellow:

I am seeing all realm roles in SAML response being mapped, e.g.: SAML response:

<saml:Attribute FriendlyName="Session Role" Name="https://aws.amazon.com/SAML/Attributes/Role"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
        manage-events
    </saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
        manage-realm
    </saml:AttributeValue>
...
</saml:Attribute>

I was expecting that only roles for this client would be mapped? Am I doing something wrong or is this expected?

jangaraj · April 16, 2020, 6:31pm

My guess you have enabled realm roles.
Role list mapper is wrong approach, because you need those roles in the specific format. Scripted mapper will be better option. See

anitabee · April 16, 2020, 8:53pm

I have Role Name Mapper which is mapping needed role in that specific format correctly, but will try your suggestion, ty

jangaraj · April 17, 2020, 5:19am

That’s interesting. Where did you store your roles in that specific AWS format? LDAP, Keycloak?

Scripted mapper doesn’t help you with unwanted. You need to have disabled realm roles (Full Scope Allowed: Off), maybe the are defined/assigned as client roles.

anitabee · April 19, 2020, 6:23pm

That’s interesting. Where did you store your roles in that specific AWS format? LDAP, Keycloak?

I’ve stored it in Role Name Mapper so in Keycloak. I had one custom Role which I’ve connected to this mapper. I know hackish but I just wanted to make it work somehow. But anyhow as I do need to create roles based on LDAP groups your suggestion for scripted mapper was what I needed.

Scripted mapper doesn’t help you with unwanted. You need to have disabled realm roles ( Full Scope Allowed: Off ), maybe the are defined/assigned as client roles.

That was indeed issue for unwanted roles.

Thank you for help!

Topic		Replies	Views
AWS IAM "Your request included an invalid SAML response" Configuring the server	3	2694	April 19, 2020
Unable to get SAML Attribute to Role Mapper working Configuring the server saml	2	1825	February 17, 2020
Keycloak SAML adapter: attributes to roles mapping Getting advice saml	0	982	February 25, 2020
AWS SAML with Keycloak 24.0.2 - Roles ldap , saml	1	44	April 11, 2024
Saml Attribute to Role Mapper Getting advice saml	3	4801	January 13, 2021

SAML response Role Attribute containing (unexpected?) AttributeValue roles

Related Topics