Keycloak
29 строк · 2.0 Кб
1[[_saml_role_mappings_spi]]
2== SAML role mappings SPI
3
4{project_name} defines an SPI for mapping SAML roles into roles that exist in the SP environment. The roles returned by
5a third-party IDP might not always correspond to the roles that were defined for the SP application so there is a need for a
6mechanism that allows mapping the SAML roles into different roles. It is used by the SAML adapter after it extracts the roles
7from the SAML assertion to set up the container's security context.
8
9The `org.keycloak.adapters.saml.RoleMappingsProvider` SPI doesn't impose any restrictions on the mappings that can be performed.
10Implementations can not only map roles into other roles but also add or remove roles (and thus augment or reduce the set of
11roles assigned to the SAML principal) depending on the use case.
12
13For details about the configuration of the role mappings provider for the SAML adapter as well as a description of the default
14implementations available see the link:{adapterguide_link}[{adapterguide_name}].
15
16=== Implementing a custom role mappings provider
17
18To implement a custom role mappings provider one first needs to implement the `org.keycloak.adapters.saml.RoleMappingsProvider`
19interface. Then, a `META-INF/services/org.keycloak.adapters.saml.RoleMappingsProvider` file containing the fully qualified name
20of the custom implementation must be added to the archive that also contains the implementation class. This archive can be:
21
22* The SP application WAR file where the provider class is included in WEB-INF/classes;
23* A custom JAR file which will be added into WEB-INF/lib of the SP application WAR;
24* (WildFly/JBoss EAP only) A custom JAR file configured as a `jboss module` and referenced in `jboss-deployment-structure.xml`
25of the SP application WAR.
26
27When the SP application is deployed, the role mappings provider that will be used is selected by the id that was set in
28`keycloak-saml.xml` or in the `keycloak-saml` subsystem. So to enable your custom provider simply make sure that its id is
29properly set in the adapter configuration.