Bug 58544 - univention-keycloak saml-client-nameid-mapper throws traceback if run twice
Summary: univention-keycloak saml-client-nameid-mapper throws traceback if run twice
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Keycloak
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-2-errata
Assignee: Arvid Requate
QA Contact: Dirk Wiesenthal
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-08-26 16:28 CEST by Arvid Requate
Modified: 2025-08-27 16:12 CEST (History)
0 users

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2025-08-26 16:28:58 CEST 
Bug #56096 introduced "univention-keycloak saml-client-nameid-mapper" but it's not idempotent, which makes it unsuitable for the use in joinscripts.


root@primary20:~# univention-keycloak saml-client-nameid-mapper create \
        urn:federation:MicrosoftOnline \
        entryUUID \
        --mapper-nameid-format "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
        --user-attribute entryUUID \
        --base64 && echo ok
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3450, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/sbin/univention-keycloak", line 3446, in main
    return opt.func(opt) or 0
           ^^^^^^^^^^^^^
  File "/usr/sbin/univention-keycloak", line 2306, in create_saml_nameid_mapper
    session.create_mapper(opt.clientid, payload)
  File "/usr/sbin/univention-keycloak", line 351, in create_mapper
    self.add_mapper_to_client(_id, payload)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 3656, in add_mapper_to_client
    return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[201])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 192, in raise_error_from_response
    raise error(
keycloak.exceptions.KeycloakPostError: 409: b'{"errorMessage":"Protocol mapper exists with same name"}'
Comment 1 Arvid Requate univentionstaff 2025-08-26 16:32:31 CEST 
[5.2-2] 58989b0669a | Fix exception handling of saml-client-nameid-mapper create

Package: univention-keycloak
Version: 3.2.3
Release: 5.2-0
Scope: errata5.2-2
Comment 2 Arvid Requate univentionstaff 2025-08-26 17:42:51 CEST 
[5.2-2] d62a52d4b96 | Advisory
Comment 3 Dirk Wiesenthal univentionstaff 2025-08-27 11:51:41 CEST 
Tests: OK
Code review: OK
YAML: OK
Comment 4 Christian Castens univentionstaff 2025-08-27 16:12:16 CEST 
<https://errata.software-univention.de/#/?erratum=5.2x180>