<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Good feedback. We'll eventually open up the protocol mapper spi
so that the entire assertion can be modified.<br>
</p>
<br>
<div class="moz-cite-prefix">On 9/11/16 7:43 PM, Rashmi Singh wrote:<br>
</div>
<blockquote
cite="mid:CAJ0vL++EnDKcL9F0594p8e71YjAZ6Mka1ByMWZ40WfCqdhZeFA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Looking at the keycloak source code to see how NameID value
is set in the SAML response, we came across SamlProtocol class
that has the following method:</div>
<div><br>
</div>
<div> protected String getNameId(String nameIdFormat,
ClientSessionModel clientSession, UserSessionModel
userSession) {</div>
<div> if (nameIdFormat.equals(<wbr>JBossSAMLURIConstants.NAMEID_<wbr>FORMAT_EMAIL.get()))
{</div>
<div> return userSession.getUser().<wbr>getEmail();</div>
<div> } else if (nameIdFormat.equals(<wbr>JBossSAMLURIConstants.NAMEID_<wbr>FORMAT_TRANSIENT.get()))
{</div>
<div> // "G-" stands for "generated" Add this for the
slight possibility of collisions.</div>
<div> return "G-" + UUID.randomUUID().toString();</div>
<div> } else if (nameIdFormat.equals(<wbr>JBossSAMLURIConstants.NAMEID_<wbr>FORMAT_PERSISTENT.get()))
{</div>
<div> return getPersistentNameId(<wbr>clientSession,
userSession);</div>
<div> } else if (nameIdFormat.equals(<wbr>JBossSAMLURIConstants.NAMEID_<wbr>FORMAT_UNSPECIFIED.get()))
{</div>
<div> // TODO: Support for persistent NameID
(pseudo-random identifier persisted in user object)</div>
<div> return userSession.getUser().<wbr>getUsername();</div>
<div> } else {</div>
<div> return userSession.getUser().<wbr>getUsername();</div>
<div> }</div>
<div> }</div>
<div><br>
</div>
<div>which is just returning either email or username because of
which we are restricted in the value that can be set for the
NameID. We are not able to set NameID to any value other than
this. With our customers, we have seen lot of cases where
users have different IDs across SPs. With the current
implementation in KeyCloak, it seems we can only return Name
or Email as NameID. Ideally in case of “Unspecified” format,
we should have a mechanism to map Name ID to any of user
property/attribute. Do you have any plans to add support for
this use case?</div>
<div><br>
</div>
<div>With regard to solving this problem, one option could be to
implement a protocol mapper that can be used to map any user
property/attribute to NameID. Currently protocol mapper can
only be used to return saml:Attribute, so writing a new
protocol mapper specifically for requesting NameID would be
useful. Is this feasible? And, do you have any plans to add
support for this usecase?</div>
<div><br>
</div>
<div>If you are not planning to implement this, are there any
design or implementation level inputs/help you can provide on
this? And if we implement this protocol mapper from our side,
would it be possible to merge it back to the master branch?</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>