[keycloak-user] SAML Custom Attribute NameID

Adam Keily adam.keily at adelaide.edu.au
Thu Mar 2 17:16:23 EST 2017


Thanks Muein. I’ll investigate using the custom mapper as you describe. Much appreciated.

Adam

From: shmuein at gmail.com [mailto:shmuein at gmail.com] On Behalf Of Muein Muzamil
Sent: Friday, 3 March 2017 2:12 AM
To: Adam Keily <adam.keily at adelaide.edu.au>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] SAML Custom Attribute NameID

Hi,

Currently, KeyCloak doesn't support this feature. We end up implementing a custom protocol mapper to support this feature. It is something like this.

public class SAMLLoginResponseMapperExtension extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
...................
            public ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel,
                                    KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) {

                        // if the attributeName is configured, read the value from the user
                        // model
                        String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE);
                        if (StringUtils.isNotBlank(attributeName)) {
                                    UserModel user = userSession.getUser();
                                    if (StringUtils.indexOfAny(attributeName, new String[] { "firstName", "lastName", "username" }) != -1) {
                                                attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName);
                                    } else {
                                                attributeValue = KeycloakModelUtils.resolveFirstAttribute(user, attributeName);
                                    }
                        }

                        for (RTChoiceType rtChoiceType : response.getAssertions()) {
                                    NameIDType nameIDType = (NameIDType) rtChoiceType.getAssertion().getSubject().getSubType().getBaseID();
                                    nameIDType.setValue(attributeValue);
                        }

                        return response;
            }
..................
}

Regards,
Muein

On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily <adam.keily at adelaide.edu.au<mailto:adam.keily at adelaide.edu.au>> wrote:
Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a SAML2 client? The format will be username but I want to use a custom attribute and not the username of the user.

I've tried various mapping configurations but they just get sent as attributes alongside the subject nameid.

Thanks

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list