openliberty saml group mapping not working

Question

openliberty saml group mapping not working

29 Views Asked by frederic fadda At 13 March 2024 at 16:02

I'm testing the openliberty feature SAML Web Single Sign-On 2.0 (https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html).

The integration with my IdP works fine for authentication but I can't make it work for the role/group mapping (I get a 403 forbiddent access error).

This feature is defined as follow in my server.xml config file:

<samlWebSso20 id="defaultSP" nameIDFormat="email" userIdentifier="cn" groupIdentifier="memberOf" mapToUserRegistry="No" authFilterRef="myAuthFilter"/>

and the security constraint is defined like this:

<application location="guide-getting-started.war" type="war" id="guide-getting-started.war" name="ctxrt-saml-test" contextRoot="ctxrt-saml-test">
            <application-bnd>
                    <security-role name="XXXX_admin_view">
                            <group name="XXXX_admin_view" />
      </security-role>
    </application-bnd>
  </application>

in my webapp, I have the following security constraint:

    <security-constraint>
      <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>XXXX_admin_view</role-name>
      </auth-constraint>
    </security-constraint>

The SAML response from my IdP contains this:

SAML2.0 Response
[...]
SAML 2.0 AttributeStatement
uid xxxxxxx
memberOf    CN=XXXX_admin_view,OU=XXXX,OU=Applications,OU=Groups,DC=[xxxx],DC=fr
cn  xxxxx

In my Openliberty server logs, I see this:

Added the following subject to role mapping for application: ctxrt-saml-test. 
group:[IdP-realmName]/CN=XXXX_admin_view,OU=XXXX,OU=Applications,OU=Groups,DC=[xxxx],DC=fr

and

CWWKS9104A: Authorization failed for user [user_cn] while invoking ctxrt-saml-test on /. The user is not granted access to any of the required roles: [XXXX_admin_view].

It looks like the mapping between the role defined at the SP level (openliberty) and the groups returned by the IdP in the SAML response doesn't work...

As I can't yet change the IdP SAML response, I've tried all the combinations at the SP level configuration but none seems to work...

role = [IdP-realmName]/CN=XXXX_admin_view,OU=XXXX,OU=Applications,OU=Groups,DC=[xxxx],DC=fr or role = CN=XXXX_admin_view,OU=XXXX,OU=Applications,OU=Groups,DC=[xxxx],DC=fr or role = XXXX_admin_view

Any help much appreciated

Thanks

Original Q&A

There are 1 best solutions below

**frederic fadda** · Answer 1 · 2024-03-15T13:27:14.460000

I solved this issue with a colleague.

The solution is to specify an access-id in the "group" element, like this:

<security-role name="XXXX_admin_view">
    <group access-id="group:[IdP-realmName]/CN=XXXX_admin_view,OU=XXXX,OU=Applications,OU=Groups,DC=[xxxx],DC=fr" />
</security-role>

See : github.com/OpenLiberty/open-liberty/issues/17096

openliberty saml group mapping not working

There are 1 best solutions below

Related Questions in SINGLE-SIGN-ON

Related Questions in SAML

Related Questions in OPEN-LIBERTY

Trending Questions

Popular # Hahtags

Popular Questions