[keycloak-dev] SAML users should not be identified by SAML:NameID
Josh Cain
jcain at redhat.com
Mon Jul 30 11:43:23 EDT 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
+1 for this, we're going to need it.
On Mon, 2018-07-30 at 17:06 +0200, Hynek Mlnarik wrote:
> Yes, please file a feature request JIRA
>
> On Mon, Jul 30, 2018 at 3:33 PM Daniel Teixeira <ddtxra at gmail.com>
> wrote:
>
> > Hello,
> >
> > Seems like Keycloak always uses the saml:NameID to identify a SAML
> > user.
> > In org.keycloak.broker.saml.SAMLEndpoint we see:
> >
> > BrokeredIdentityContext identity = new
> > BrokeredIdentityContext(subjectNameID.getValue());
> > ...
> > identity.setUsername(subjectNameID.getValue());
> >
> > However this is not a good practice, see recommendations here:
> > https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
> >
> > *SPs MUST NOT require the presence of a <saml:NameID> element and
> > MUST NOT
> > rely on the content of this element for long term identification of
> > subjects; <saml:Attribute> elements MUST be used for this purpose
> > in
> > the *manner
> > detailed below.
> >
> > IMO, Keycloak should provide a field when configuring an iDP to
> > choose the
> > custom attribute to "identify" a user. This can be mail attribute
> > for
> > example (urn:oid:0.9.2342.19200300.100.1.3). But should not take
> > this
> > information from saml:NameID
> >
> > Is there anyway to override this in Keycloak?
> > Should I create a JIRA issue?
> >
> > Best regards,
> > Daniel Teixeira
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAltfMhsACgkQrGNtyYPQ
wPgjvA//VEuBittUNwRDJlr0DTsRmHvMxNZiIh8NQaiz02aLd6Q0H1Su7z4Cpx8q
eqNSRYue1r0hWRg/fOxsibWtK2q875iy2J+bT4RaBJyTo/v8vlV39G8kEZcYsjY9
sDcHX/8r/5YnFNdWJt6P5thHyMzIeX5/WLss9XJd9+StG8d9qCc+7a8OZgEv09GO
TU9en30ESK6AiBd6LZlXRe2P63l1z35kAtmq2b+fDsc43db+vlcYcdNIbUBa24oc
He1foH+0KAM6iqPV0CYsB8pBt/EhELuCU7qAUO2qIVXmYGWNMGS083r/WcaO8/+X
r2FYNKF7IRT11km453jOyWUwlYMEA1rVKDb/kQMkakohk798wixdnYm0sSm1BPhQ
hnhmWB9jJ/3RTTOj4+o/A9oeftQeVRm2Pv407X5bS6eFTa4dFpvqxSu1dk6GK/Aa
4V6VW64Rs7UiZaRXzJmzQyCvmtdyHdT5hbKlyU+ksEw20RV2agECJhuXxjXLG1hQ
KLkpRCYa6jNT76rRNvxpZVqkyRBGMB1myPe6v8hLe6R5mxwTIoW049mFnREXVNFp
cWgzAnwSSlNH3wrL+SVNEzb+jBi1fno2i4t29r8uvOPD52aCh7EvybitIvDIFC7S
eXzY11neuk4ry9j4VKb2vHadIXXnoUFii3CwBhKf/JVKToy2P2o=
=I7Oy
-----END PGP SIGNATURE-----
More information about the keycloak-dev
mailing list