Keycloak user permissions - able to log in but can't see any studies

274 views
Skip to first unread message

Calvin Cheah

unread,
May 10, 2018, 10:59:48 AM5/10/18
to cBioPortal for Cancer Genomics Discussion Group

Hi,

I've configured Keycloak to work with cBioPortal
  • Authentication works OK
  • I'm able to log in and out of cBioPortal after being redirected to Keycloak
However, my user can't see any studies after logging in (completely empty). I've tried:
  • Clearing my users table
  • Clearing my cancer_study group column
  • Adding a role in Keycloak that is the same name as a cancer_study group or ID
  • But I still get an empty set of studies after successfully logging in.
I'm missing something for sure, any idea what that might be?

Thanks so much!
Calvin

Pieter Lukasse

unread,
May 10, 2018, 11:42:51 AM5/10/18
to Calvin Cheah, cBioPortal for Cancer Genomics Discussion Group
Hi Calvin, 

there are some properties that are crucial for the Keycloak roles to be picked up by cBioPortal, perhaps you can double-check and verify that they are set as follows:
  • filter_groups_by_appname=false
  • saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl 
You can also try to use a SAML tracer plugin in your browser to capture all the SAML messages exchanged by Keycloak, the browser and cBioPortal. Then you can check if Keycloak is indeed sending over the list of roles in the SAML XML message.

Best,

Pieter

Pieter Lukasse


E.   pie...@thehyve.nl

T.   +31(0)30 700 9713

W.  www.thehyve.nl


We empower scientists by building on open source software

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+unsubscribe@googlegroups.com.
To post to this group, send email to cbiop...@googlegroups.com.
Visit this group at https://groups.google.com/group/cbioportal.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/b71c30e0-2fef-4330-9dff-18a40658e8b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Calvin Cheah

unread,
May 11, 2018, 11:01:42 PM5/11/18
to Pieter Lukasse, cBioPortal for Cancer Genomics Discussion Group
Hi Pieter,

Thanks this is very helpful and encouraging.

I've checked my portal.properties and the two lines you mentioned are set as expected.

Also, as suggested, I used the SAML tracer to view the messages:

<saml:Attribute Name="Role"
                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xsi:type="xs:string">abc</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="Role"
                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xsi:type="xs:string">xyz</saml:AttributeValue>
      </saml:Attribute>

In the example above, is it right that the user should be able to see studies which have "abc" or "xyz" in the GROUPS column of the cancer_study table?

Thanks so much again!

Cheers,
Calvin

Kelsey Zhu

unread,
May 11, 2018, 11:51:07 PM5/11/18
to Calvin Cheah, Pieter Lukasse, cBioPortal for Cancer Genomics Discussion Group
Hi Calvin,

Just to clarify a few things:

1. When using keycloak to authenticate users, the USER table and cancer_study GROUP fields will no longer be used. So, there is no need to clear out the user table or group column in the cancer_study table.
  • Clearing my users table
  • Clearing my cancer_study group column
2. You will need to use “cancer_study_identifier” from the cancer_study table as a keycloak role name. For example, if you added “abc” and “xyz” two roles in Keycloak, then user should be able to see studies which have “cancer_study_identifier” either “abc” or “xyz”.

Best!
Kelsey


To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To post to this group, send email to cbiop...@googlegroups.com.
Visit this group at https://groups.google.com/group/cbioportal.

Pieter Lukasse

unread,
May 16, 2018, 4:14:07 PM5/16/18
to Calvin Cheah, cBioPortal for Cancer Genomics Discussion Group
Hi Calvin, 

thanks for the details. The abc and xyz will be matched to the CANCER_STUDY_ID field in cancer_study table, so please make sure this is matching. 

Also, be sure to follow this step from the documentation: https://github.com/cBioPortal/cbioportal/blob/master/docs/Authenticating-and-Authorizing-Users-via-keycloak.md#map-saml-assertion-attributes  (see "a Role list-type attribute using the word roles as its Role attribute name" - yes, this is case sensitive...). Or you can update the following property to Role with capital R (to match the SAML xml here   <saml:Attribute Name="Role"):
    saml.idp.metadata.attribute.role=Role

This should solve the issue. Please let me know. 

Best regards,

Pieter

 

Pieter Lukasse


E.   pie...@thehyve.nl

T.   +31(0)30 700 9713

W.  www.thehyve.nl


We empower scientists by building on open source software

Calvin Cheah

unread,
May 29, 2018, 8:46:40 AM5/29/18
to Pieter Lukasse, cBioPortal for Cancer Genomics Discussion Group
Thanks so much, Pieter.

I updated the saml.idp.metadata.attribute.role property and it works!!! Brilliant!!

Cheers,
Calvin
Reply all
Reply to author
Forward
0 new messages