LDAP attributes are not as expected

I have two servers up and running, SP server, named webserver.com, and IdP server named idpserver.com, just for example. idpserver.com has KeyCloak installed, and LDAP federation is configured successfully. On SP server, webserver.com, I have Apache and mod_auth_mellon configured successfully. webserver.com is a client on idpserver.com. The client is configured successfully. If I run https://webserver.com against KeyCloak authentication on IdP server, i.e. https://idpserver.com, the authentication with LDAP federation is successful.

I can see mapped LDAP user on IdP server inside KeyCloak admin, and I can see some of LDAP attributes are also mapped successfully.

On SP server, i.e. webserver.com, I use the following PHP code to trace the _SERVER environment variables: ( Based on mod_auth_mellon User Guide, ‘PHP Environment Dump’ section)

<?php //header('Content-Type: text/plain'); foreach($_SERVER as $key=>$value) { if (substr($key, 0, 7) == 'MELLON_') { echo($key . '=' . $value . "
"); } } ?>

I would expect the output should be something like this:
MELLON_lastname=Smith
MELLON_cn=John Smith
MELLON_username=jsmith
MELLON_mail=john.smith@abc.com
MELLON_badge=987654321abc

However, the current output is something like this:

MELLON_Role_5=uma_authorization
MELLON_Role_4=default-roles-basic
MELLON_Role_3=view-profile
MELLON_Role_2=offline_access
MELLON_Role_1=manage-account-links
MELLON_Role_0=manage-account
MELLON_Role=manage-account
MELLON_NAME_ID=K-7654321-76543-9999-a12a-c99fb9abcde

On the IdP server with KeyCloak configured, I can see the LDAP attributes are mapped successful to the username federated with LDAP server. Why I am not able to fetch the LDAP attributes on my web page server with mod_auth_mellon configured? How to make the PHP code to see real LDAP attributes after the user successfully logged in?

Any advises or helpful URL links are very welcome. Thank you very much.

I guess you don’t have mappers configured for those missing details in used Keycloak SAML client configuration.
Use SAML tracer extension in your browser during login procedure and check which user attributes are returned by Keycloak in the SAML reponse. Of course then tweak client configuration accordingly.

On KeyCloak Admin GUI, I can check the LDAP attributes for those imported users. Click ‘Users’, open the select user, and click “Attribute” tab, I can see that all defined attribute from LDAP are mapped successfully. I can see the value of the attributes from LDAP, such as username, email, badge number, etc. It looks like the attribute mapping is successful.

I am new to this topic. “Use SAML tracer extension in your browser during login procedure and check which user attributes are returned by Keycloak in the SAML response” - Could you please show me a document or URL link how to use SAML tracer extension in my browser during login procedure? Thank you very much.

Thank you very much. At least I figured out one way to fix the problem. I put focus on users → attributes. Even through users attributes are successfully mapped with LDAP federation, the LDAP attributes cannot be distributed to the web site server.

To fix the problem, I create a few “Client Scopes” on KeyCloak Admin GUI, for example, badge, mail, cn, etc. For each client scope, create mapper with "Mapper Type = “User Attribute”, and be sure to have the same value of “User Attribute” and “SAML Attribute Name”. Pick up “Basic” as the SAML Attribute NameFormat. Then for each “client”, you can see the new client scopes are listed under “Available Client Scopes”. Add them to “Assigned Default Client Scopes”.

Reload the web server web page. The new user attributes are added with my LDAP PHP code.

Thank you your response and it give me the hints. Your help is very appreciated.