[keycloak-dev] Adding IdentityProviderMappers

Stian Thorgersen sthorger at redhat.com
Thu Feb 16 03:28:21 EST 2017 

You can use the internal SPIs, but bear in mind that these are not
guaranteed to be backwards compatible. They are also not supported in Red
Hat Single Sign-On.

We are planning on refining and making more and more SPIs public and
backwards compatible. However, that's a big task and we have to do it
incrementally.

Could be handy to have a built-in mapper that copies everything, would like
to see it have both inclusion and exclusion though. Maybe it should support
space separate lists as well rather than just regex. To accept it we'd have
to have the same mapper for OIDC and SAML, it would also need to be fully
tested.

On 13 February 2017 at 11:51, <frelibert at yahoo.com> wrote:

> Hi,
> The identity-provider-mapper SPI is an internal one.Any chance you will
> make it public?
> I'd like to use it to write our own mapper.I actually allready have.I know
> it is not recommended to depend on an internal spi but I have written a new
> mapper as I needed something with less work to configure the mapping of our
> brokered saml idp to user attributes. Our idp returns a lot of attributes
> and configuring each and every attribute is quite some work.
> Moreover, you currently can't export this config from one realm to another
> in the same environment.My mapper is quite similar to the
> UserAttributeMapper but not limited to one attribute.It basically takes the
> incoming assertion and maps every saml attribute it finds to a user
> attribute with the same name.It has 5 config fields:- optional regex in
> order to filter out some attribute(s) you don't want to map.- name of
> attribute to use as firstName property.- name of attribute to use as
> lastName property.- name of attribute to use as email property.
> - option to use saml friendlyName instead of Name to map with the user
> attribute name.
> If you are interested, I am willing to share it with you.I like Keycloak a
> lot :-)
> Kind regards,
> Frederik Libert
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list