[keycloak-dev] Claims Mapping and Identity Federation
Pedro Igor Silva
psilva at redhat.com
Fri Feb 20 18:20:15 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, February 20, 2015 8:48:53 PM
> Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation
>
>
>
> On 2/20/2015 11:07 AM, Pedro Igor Silva wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Friday, February 20, 2015 1:36:31 PM
> >> Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation
> >>
> >
> > I'm not sure if you really need something different for SAML. The reason is
> > that we can just ask users if what they want to use 'Name' or 'Friendly
> > Name'.
> >
> > At that end, that is what really matter, right ? Just know the name of the
> > attribute to map to an internal one.
> >
>
> From looking at SAML document it looks like you can have a attribute
> name types (uri, basic, and unspecified). I'm not sure of the
> difference between basic and unspecified. Do you?
AFAIK these are about how you interpret attributes. I think you can just ignore that in this case. You are more interested in map names than deal on how they should be interpreted. Users will probably know what they are mapping.
>
> Then "Friendly Name" is optional.
Yeah it is optional, but you can have something like that:
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail">
In this case, it is much easier to use FriendlyName when mapping than what is in Name. See, here there is an usage of NameFormat, in this case uri. We can just ignore ...
If I'm correct about what you are doing, users will just say:
Get "mail" from SAML Assertion and create a "email" claim in Keycloak.
>
> Looks like I'll need to add a config map to each
> ProtocolMapper...ugh...wanted to avoid that.
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list