Status: Closed (View Workflow)
Affects Version/s: 10.0.2
Fix Version/s: None
There is a bug in Keycloak that when building a SAML response, a user defined attribute using the Role List Mapper is ignored. A role mapper with the default values is used instead.
I have configure a SAML client in Keycloak to authenticate to AWS. When making use of it, AWS responded with:
AWS documentation points to a missing attribute that specifies the roles of the user that needs to have the name "https://aws.amazon.com/SAML/Attributes/Role". This is weird as I have configured the attribute mappers, one of which is the roles one with the right name.
By inspecting the SAML response send to AWS I was able to confirm that indeed the roles were being sent, but with the wrong attribute name as well as missing "Friendly Name":
After diving in Keycloak source code and remotely (painfully slow ) debugging the Keycloak test instance I was able to pinpoint where a fix could be applied to correct this behaviour. After that, the proper SAML response is sent:
Apparently the function call to "ProtocolMapperUtils.getSortedProtocolMappers" in "SamlProtocol.java:425" always returns a extra role list mapper with default values. This means that even though the user configured role list mapper is in the list of mappers, it gets overwritten by the one with default values in "SamlProtocol.java:436".
The fix I implemented is to ensure that if the "roleListMapper" variable had already been set, not to overwrite it. I don't know enough of Keycloak's source code (first time playing with it ) to understand why the extra role mapper was being added even though one is already configured. Maybe a better fix is to allow multiple role list mappers (same as for attribute mappers).
I have created a GitHub PR with the purported fix.