[keycloak-user] Mapping SAML attributes from ADFS

Rens Verhage Rens.Verhage at topicus.nl
Tue Jun 5 02:16:48 EDT 2018 

Still have one more question though. Seems like the ADFS I’m connecting with doesn’t send me the custom attributes we have agreed upon (at least I’m suspecting, not sure). Is it possible to log the decrypted assertion so that I can verify? Tried adding trace level logging, but no luck…


> On 4 Jun 2018, at 12:23, Rens Verhage <Rens.Verhage at topicus.nl> wrote:
> 
> Thanks Tony! This helped a lot.
> 
> After mapping the attributes like this everything works fine:
> 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email
> 
> 
> Rens
> 
> On 4 Jun 2018, at 11:58, Tony Harris <Tony.Harris at oneadvanced.com<mailto:Tony.Harris at oneadvanced.com>> wrote:
> 
> This might help get you started.  This maps the surname claim in SAML to the LastName attribute in Keycloak.
> 
> The SAML names here should give you the name of the others.  https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/saml_assertion_credential_token_mapping_adfs_azure.html
> 
> <image001.png>
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rens Verhage
> Sent: 04 June 2018 10:28
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Mapping SAML attributes from ADFS
> 
> Hi all,
> 
> I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response.
> 
> Do I have to explicitly map these attributes?
> 
> How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes?
> 
> 
> Rens
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> ________________________________
> 
> Please consider the environment: Think before you print!
> 
> 
> 
> This message has been scanned for malware by Websense.  www.websense.com<http://www.websense.com/>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list