...
Code Block | ||||
---|---|---|---|---|
| ||||
<keycloak-saml-adapter xmlns="urn:keycloak:saml:adapter"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:keycloak:saml:adapter https://www.keycloak.org/schema/keycloak_saml_adapter_1_10.xsd">
<SP entityID="spn:APPLICATION_ID_FROM_ENTRA"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="http://www.cohga.com/"
forceAuthentication="false"
isPassive="false"
turnOffChangeSessionIdOnLogin="false"
autodetectBearerOnly="true">
<!-- This sets up the attribute returned by Entra ID to use as the username -->
<PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
<!-- This sets up the attribute returned by Entra ID to determine the roles the user has -->
<!-- these roles shoud be referenced in your Weave ACL configurations -->
<RoleIdentifiers>
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/group"/>
<!-- These two are alternate names in case the one above does not work
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
<Attribute name="http://schemas.xmlsoap.org/claims/Group"/>
-->
</RoleIdentifiers>
<!-- Convert Entra group id's to their display name via an Entra group export csv file -->
<!-- Note the id is correct, it contains azure and has not as yet been renamed -->
<RoleMappingsProvider id="azure-groups-role-mapper">
<Property name="export.file.location" value="platform/workspace/exportGroup_2022-8-17.csv"/>
</RoleMappingsProvider>
<!-- Or, convert Entra group id's to their display name via a properties file -->
<!--
<RoleMappingsProvider id="properties-based-role-mapper">
<Property name="properties.file.location" value="platform/workspace/group-mappings.properties"/>
</RoleMappingsProvider>
-->
<IDP entityID="idp"
signaturesRequired="false">
<SingleSignOnService requestBinding="POST"
bindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
signRequest="false"
validateAssertionSignature="false"
validateResponseSignature="false"/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
redirectBindingUrl="https://login.microsoftonline.com/DIRECTORY_ID_FROM_ENTRA/saml2"
signRequest="false"
signResponse="false"/>
</IDP>
</SP>
</keycloak-saml-adapter>
|
...