Keycloak

Форк
0
/
saml-role-mappings-spi.adoc 
29 строк · 2.0 Кб
1
[[_saml_role_mappings_spi]]
2
== SAML role mappings SPI
3

4
{project_name} defines an SPI for mapping SAML roles into roles that exist in the SP environment. The roles returned by
5
a third-party IDP might not always correspond to the roles that were defined for the SP application so there is a need for a
6
mechanism that allows mapping the SAML roles into different roles. It is used by the SAML adapter after it extracts the roles
7
from the SAML assertion to set up the container's security context.
8

9
The `org.keycloak.adapters.saml.RoleMappingsProvider` SPI doesn't impose any restrictions on the mappings that can be performed.
10
Implementations can not only map roles into other roles but also add or remove roles (and thus augment or reduce the set of
11
roles assigned to the SAML principal) depending on the use case.
12

13
For details about the configuration of the role mappings provider for the SAML adapter as well as a description of the default
14
implementations available see the link:{adapterguide_link}[{adapterguide_name}].
15

16
=== Implementing a custom role mappings provider
17

18
To implement a custom role mappings provider one first needs to implement the `org.keycloak.adapters.saml.RoleMappingsProvider`
19
interface. Then, a `META-INF/services/org.keycloak.adapters.saml.RoleMappingsProvider` file containing the fully qualified name
20
of the custom implementation must be added to the archive that also contains the implementation class. This archive can be:
21

22
* The SP application WAR file where the provider class is included in WEB-INF/classes;
23
* A custom JAR file which will be added into WEB-INF/lib of the SP application WAR;
24
* (WildFly/JBoss EAP only) A custom JAR file configured as a `jboss module` and referenced in `jboss-deployment-structure.xml`
25
  of the SP application WAR.
26

27
When the SP application is deployed, the role mappings provider that will be used is selected by the id that was set in
28
`keycloak-saml.xml` or in the `keycloak-saml` subsystem. So to enable your custom provider simply make sure that its id is
29
properly set in the adapter configuration.

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.