[keycloak-user] SAML Custom Attribute NameID
Muein Muzamil
shmuein+keycloak-dev at gmail.com
Thu Mar 2 10:41:58 EST 2017
Hi,
Currently, KeyCloak doesn't support this feature. We end up implementing a
custom protocol mapper to support this feature. It is something like this.
public class SAMLLoginResponseMapperExtension extends
AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
...................
public ResponseType transformLoginResponse(ResponseType response,
ProtocolMapperModel mappingModel,
KeycloakSession session, UserSessionModel userSession, ClientSessionModel
clientSession) {
// if the attributeName is configured, read the value from the user
// model
String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE);
if (StringUtils.isNotBlank(attributeName)) {
UserModel user = userSession.getUser();
if (StringUtils.indexOfAny(attributeName, new String[] { "firstName",
"lastName", "username" }) != -1) {
attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName);
} else {
attributeValue = KeycloakModelUtils.resolveFirstAttribute(user,
attributeName);
}
}
for (RTChoiceType rtChoiceType : response.getAssertions()) {
NameIDType nameIDType = (NameIDType)
rtChoiceType.getAssertion().getSubject().getSubType().getBaseID();
nameIDType.setValue(attributeValue);
}
return response;
}
..................
}
Regards,
Muein
On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily <adam.keily at adelaide.edu.au>
wrote:
> Can anyone direct me on how to configure a custom attribute as the
> SubjectNameID for a SAML2 client? The format will be username but I want to
> use a custom attribute and not the username of the user.
>
> I've tried various mapping configurations but they just get sent as
> attributes alongside the subject nameid.
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list