Versions Compared

Old Version 14

changes.mady.by.user Shaun Forbes

Saved on

compared with

New Version Current

changes.mady.by.user Shaun Forbes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
breakoutModewide
languagexml
<keycloak-saml-adapter xmlns="urn:keycloak:saml:adapter"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xsi:schemaLocation="urn:keycloak:saml:adapter https://www.keycloak.org/schema/keycloak_saml_adapter_1_10.xsd">

	<SP entityID="spn:APPLICATION_ID_FROM_ENTRA"
		sslPolicy="EXTERNAL"
		nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		logoutPage="http://www.cohga.com/"
		forceAuthentication="false"
		isPassive="false"
		turnOffChangeSessionIdOnLogin="false"
		autodetectBearerOnly="true">

		<!-- This sets up the attribute returned by Entra ID to use as the username -->
		<PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
		
		<!-- This sets up the attribute returned by Entra ID to determine the roles the user has -->
		<!-- these roles shoud be referenced in your Weave ACL configurations -->
		<RoleIdentifiers>
			<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/group"/>
			<!-- These two are alternate names in case the one above does not work
			<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
			<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
			<Attribute name="http://schemas.xmlsoap.org/claims/Group"/>
			-->
		</RoleIdentifiers>

		<!-- Convert Entra group id's to their display name via an Entra group export csv file  -->
		<!-- Note the id is correct, it contains azure and has not as yet been renamed -->
		<RoleMappingsProvider id="azure-groups-role-mapper">
			<Property name="export.file.location" value="platform/workspace/exportGroup_2022-8-17.csv"/>
		</RoleMappingsProvider>

		<!-- Or, convert Entra group id's to their display name via a properties file -->
<!--
		<RoleMappingsProvider id="properties-based-role-mapper">
			<Property name="properties.file.location" value="platform/workspace/group-mappings.properties"/>
		</RoleMappingsProvider>
-->

		<IDP entityID="idp" 
			signaturesRequired="false">
			<SingleSignOnService requestBinding="POST"
				bindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
				signRequest="false"
				validateAssertionSignature="false"
				validateResponseSignature="false"/>

			<SingleLogoutService
				requestBinding="POST"
				responseBinding="POST"
				postBindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
				redirectBindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
				signRequest="false"
				signResponse="false"/>
		</IDP>
	</SP>

</keycloak-saml-adapter>

...