Hello,
I followed the guide for using keycloak as an IDP for amazon. https://scandiweb.com/blog/sign-in-to-amazon-aws-using-saml-protocol-and-keycloak-as-identity-provider
Worked perfectly for keycloak version 9.
I just upgraded to keycloak 10.0.1,
Now I can not add the roles anymore.
The role char check does not allow “:” anymore.
Role syntax is “arn:aws:iam::aws_acct_id:role/aws_iam_saml_role,arn:aws:iam:aws_acct_id:saml-provider/aws_iam_saml_idp”
Why was this restriction introduced ?
Has anyone an idea how to get around this restriction ?
Thanks for your input.
yes, i followed more or less the advice, and created my own javascript mapper for the role, which is mapping keycloak groups to the aws roles.
(adjust the javascript as needed, especially the ARN for the provider)
the keycloak group name, which are mapped to the aws roles are in the pattern:
aws-<<accountnumber>>-<<rolename>>
Best regards Andreas
Name: Session Role
Mapper Type: Javascript Mapper
Script:
// use the Identifier variable to filter the relevant groups for this client
var identifierRegEx = "aws-([0-9]+-).*";
var StringArray = Java.type("java.lang.String[]");
var ArrayList = Java.type('java.util.ArrayList');
var GroupSet = user.getGroups();
var Output = new ArrayList();
for each (var group in GroupSet) {
var groupName=group.getName().toLowerCase();
if ( groupName.match(identifierRegEx)){
rolepattern =groupName.substring(4);
var separatorsplit=rolepattern.indexOf("-");
var tenant=rolepattern.substring(0,separatorsplit);
var role=rolepattern.substring(separatorsplit+1,rolepattern.length);
Output.add("arn:aws:iam::"+tenant+":role/"+role+",arn:aws:iam::"+tenant+":saml-provider/zeb-idp-saml2-provider");
}
}
Output;