Shibboleth SAML onlyIfRequired attributes

dalern · January 24, 2022, 11:07am

Hi,

We have connected our Keycloak to our organisations Shibboleth idP for SSO and now we can login and create users with the released attributes from our idP.

Unfortunately as a “best practise” the idP only releases some attributes as default and all other attributes are only released “if required” (onlyIfRequired) in the idP.
Have added som attrbutes as requested but cannot find if it is possible to add ‘isRequired=“true”’?

Part of the metadata from Keycloak

<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">HiG KeyCloak Kubtest</md:ServiceName>
<md:RequestedAttribute FriendlyName="norEduPersonNIN" Name="norEduPersonNIN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="higPrimaryAffiliation" Name="higPrimaryAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="cn" Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="givenName" Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="higAffiliation" Name="higAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="sn" Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>

Is it possible to require attributes from a SAML idP?

little-bear-creator · June 30, 2022, 3:10pm

Hi,
It depends on what you intend to do, if you set “isRequired” to true it will indicates that the service requires the corresponding SAML attribute in order to function at all. Not setting this value will allow the service to work no matter the value received.
There is currently an opened issue on Keycloak’s Github to get this this value set to false in Keycloak’s metadata : Github issue

Did you had the possibility to test the configuration you’ve added to your question ?

dalern · July 1, 2022, 12:51pm

Hi, thanks for the reply and the link to the github issue.
Yes I tested the configuration but I did not get all attributes I required, only the default ones, so as a workaroud the Shibboleth idP had to add an exception to send all the attributes to the keycloak sp.

Topic		Replies	Views
Keycloak with Shibboleth (SAML) idp attributes	13	4274	January 21, 2022
Saml role mapping and create roles Extending the server saml	0	421	June 2, 2022
Keycloak attributes Configuring the server ldap , saml	1	586	May 18, 2022
SAML not returning any other attributes Getting advice identity-brokering , saml	0	431	November 18, 2022
Getting IDP metadata for SAML client with attributes Getting advice identity-brokering , saml	1	410	August 4, 2022

Shibboleth SAML onlyIfRequired attributes

Related Topics