Re: [Unity-idm-discuss] Unity Keycloak RP

[Krzysztof B. <kb...@un...>]

Hi Anthony,

W dniu 03.12.2021 o 22:27, Anthony M pisze:
> Hello,
>
> Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing.
>
> What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint.

Well, hard to say precisely, there is couple of places where the process 
can fail. I'd in order, do the following:

1. Enable debug logging for oauth, saml and externaltranslation.

2. Test drive the process and check in logs at which step it fails.

3. If it fails early, i.e. verification of the access token against 
Keycloack then we need to look at the protocol compatibility. -> 
Keycloack is not directly supported, so it may work or not.

4. (if above is fine) Check in logs whether user profile is fetched

5. (if above is fine) Check what happens with the mapping. If you 
haven't setup a mapping then Unity most likely won't be able to map 
information retrieved from Keycloack to its own attributes and 
identities. Logs should tell you what is received, and this will help 
you to setup a proper mapping.


HTH,
Krzysztof