Using keycloak to load rules by trusted username


I have a special setup with a present identity provider which is still needed but I want to enrich my setup by keycloak. This has some legacy reasons.

I guess the picture below makes the issue easier to understand:

In the current (red) situation we have an IDP and request proxy which enriches the request with a saml2 token and authentifaces the user.

I want to extend that “setup” by the roles in keycloak since present IDP cannot do this. Later on, present IDP should be replaced. Can you give me an advice how to solve my “green” scenario?

I trust the username with in the saml2 token.

I want to get the roles from keycloak and check it in my backend

I want to get the roles from keycloak and create and access token with it for further client requests

You trust the username from the SAML token. Why you can’t trust also roles details from the SAML token? You are adding complexity, additional latency and additional Keycloak load. It looks like overengineered setup for me.

Thanks for your reply - there are no role details provided for some reasons. So i want to introduce them with keycloak. I know it looks too complex but this is the given case I cannot change.

Role details are not provided in the SAML token, because you didn’t configure it properly in the Keycloak. Make sure used Keycloak user has role assigned + used SAML client has role mapper configured. Use also SAML tracer extension in your favorite browser to inspect SAML response from the Keycloak - maybe your black box with the name “request proxy” doesn’t “forward” those role details.

I know what you mean but this is not the case.
The “IDP + Request” proxy is one legacy system i cannot change nor configure. It provides a SAML token without roles. And this is not a keycloak system.

I want to use the username from the saml token, and load additional the roles from the new keycloak system.

OMG got it. Super mighty IDP is only for authentication and Keycloak will provide roles for authorization only. I would say you need to implement Keycloak admin API client in your backend and use it to obtain user roles based on the username. Actually, it will be a few calls and one of them will be GET /{realm}/users/{id}/role-mappings - Keycloak Admin REST API