[keycloak-dev] Claims Mapping and Identity Federation

Bill Burke bburke at redhat.com
Fri Feb 20 18:55:38 EST 2015 


On 2/20/2015 6:20 PM, Pedro Igor Silva wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Pedro Igor Silva" <psilva at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, February 20, 2015 8:48:53 PM
>> Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation
>>
>>
>>
>> On 2/20/2015 11:07 AM, Pedro Igor Silva wrote:
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, February 20, 2015 1:36:31 PM
>>>> Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation
>>>>
>>>
>>> I'm not sure if you really need something different for SAML. The reason is
>>> that we can just ask users if what they want to use 'Name' or 'Friendly
>>> Name'.
>>>
>>> At that end, that is what really matter, right ? Just know the name of the
>>> attribute to map to an internal one.
>>>
>>
>>   From looking at SAML document it looks like you can have a attribute
>> name types (uri, basic, and unspecified).  I'm not sure of the
>> difference between basic and unspecified.  Do you?
>
> AFAIK these are about how you interpret attributes. I think you can just ignore that in this case. You are more interested in map names than deal on how they should be interpreted. Users will probably know what they are mapping.
>
>>
>> Then "Friendly Name" is optional.
>
> Yeah it is optional, but you can have something like that:
>
>    <saml:Attribute
>            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>            Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
>            FriendlyName="mail">
>
> In this case, it is much easier to use FriendlyName when mapping than what is in Name. See, here there is an usage of NameFormat, in this case uri. We can just ignore ...
>
> If I'm correct about what you are doing, users will just say:
>
> Get "mail" from SAML Assertion and create a "email" claim in Keycloak.
>

The way it is going to work is that there will be a realm level page 
that shows a set of mappers.   You can remove and add mappers there. 
There will be built in mappers like:

"email"
"phone"
"address"
etc.

Then, per application, you attach or detach these mappers to the 
application.  Basically what is happening is you are attaching/detaching 
transformers to the application that it will be used to create tokens 
and documents.  Something similar will be done for brokers.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list