[keycloak-dev] SAML users should not be identified by SAML:NameID
Hynek Mlnarik
hmlnarik at redhat.com
Mon Jul 30 11:06:04 EDT 2018
Yes, please file a feature request JIRA
On Mon, Jul 30, 2018 at 3:33 PM Daniel Teixeira <ddtxra at gmail.com> wrote:
> Hello,
>
> Seems like Keycloak always uses the saml:NameID to identify a SAML user.
> In org.keycloak.broker.saml.SAMLEndpoint we see:
>
> BrokeredIdentityContext identity = new
> BrokeredIdentityContext(subjectNameID.getValue());
> ...
> identity.setUsername(subjectNameID.getValue());
>
> However this is not a good practice, see recommendations here:
> https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
>
> *SPs MUST NOT require the presence of a <saml:NameID> element and MUST NOT
> rely on the content of this element for long term identification of
> subjects; <saml:Attribute> elements MUST be used for this purpose in
> the *manner
> detailed below.
>
> IMO, Keycloak should provide a field when configuring an iDP to choose the
> custom attribute to "identify" a user. This can be mail attribute for
> example (urn:oid:0.9.2342.19200300.100.1.3). But should not take this
> information from saml:NameID
>
> Is there anyway to override this in Keycloak?
> Should I create a JIRA issue?
>
> Best regards,
> Daniel Teixeira
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list