<div dir="ltr"><div><div><div>Hi Bill, all, <br><br></div>In the case of a transient only nameid, would it be possible to create a dedicated attribute mapper in order to use for exemple the email attribute as name identifier ?<br><br></div>PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML v1 for request a nameid that is transient also... so there is no solution in this way.<br><br></div>Best regards, Jérôme.<br></div><br><div class="gmail_quote"><div dir="ltr">Le mar. 5 janv. 2016 à 16:13, Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We won't be able to support temporary ids (transient) for awhile as it<br>
requires temporary user creation which requires some rearchitecting.<br>
<br>
As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a<br>
JIRA and it is simple enough to implement support for, we may be able to<br>
get it in.<br>
<br>
On 1/5/2016 8:18 AM, Jérôme Blanchard wrote:<br>
> Hi Bill,<br>
><br>
> Thanks for your answer regarding transient and temporary ids. I<br>
> understand the problem due to keycloak account creation and binding to<br>
> the IdP.<br>
> Renarter is using Shibboleth ; Is there is any work on shibboleth<br>
> integration for keycloak ?<br>
> If I look into the idps entities descriptors of renater, I found that it<br>
> uses also another nameid format based on shibboleth namesapce :<br>
> <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat><br>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><br>
><br>
> Do you think it is possible to patch the saml idp provider (or to create<br>
> another one dedicated to shibboleth) in order to integrate keycloak to<br>
> our identity federation (renater) ?<br>
><br>
> Best whiches for this upcoming year and thanks for your great work<br>
> around keycloak.<br>
><br>
> Jérôme.<br>
><br>
><br>
> Le mar. 22 déc. 2015 à 21:10, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br>
> <mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> a écrit :<br>
><br>
> Our brokering doesn't support temporary user ids from the "parent" IDP.<br>
> Transient Ids in SAML or temporary ids.<br>
><br>
> On 12/22/2015 11:46 AM, Jérôme Blanchard wrote:<br>
> > Hi,<br>
> ><br>
> > I'm trying to integrate keycloak into a the french research<br>
> federation<br>
> > of identity (renater) and I'm facing some problems.<br>
> > Actually, when IdP respond to keycloak i'm getting the following<br>
> error :<br>
> > PL00084: Writer: Unsupported Attribute<br>
> > Value:org.keycloak.dom.saml.v2.assertion.NameIDType<br>
> ><br>
> > It seems that this IdP is using transient NameID policy only and<br>
> using<br>
> > the unspecified field in the idp config in keycloak generate this<br>
> > exception as a return.<br>
> ><br>
> > Log of the keycloak server is joined.<br>
> ><br>
> > I have no idea of what happening because when I was using the test<br>
> > federation, everything was working but no I'm in the production<br>
> > federation, login fails.<br>
> ><br>
> > The renater federation is using Shibolleth and keycloak is not<br>
> supported<br>
> > by federation moderators so I'm alone in the dark now...<br>
> ><br>
> > Renater provides an IdP list that I have to parse and<br>
> synchronized with<br>
> > IdP in keycloak. As a return I provide a list of all endpoints<br>
> for each<br>
> > keycloak registered IdP to allow federation IdP to answear<br>
> correctly to<br>
> > the right endpoint. All of this is done by a small web app deployed<br>
> > aside keycloak and using REST API to synchronize all the IdP.<br>
> ><br>
> > One of the IdP entity descriptor is joined. As you can see, only<br>
> > transient nameid policy is supported and if I configure keycloak<br>
> to use<br>
> > email or persistent, I received a response saying that the nameid<br>
> is not<br>
> > supported :<br>
> ><br>
> > <samlp:AuthnRequest<br>
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> > xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> ><br>
> AssertionConsumerServiceURL="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>"<br>
> > Destination="<a href="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" rel="noreferrer" target="_blank">https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO</a>"<br>
> > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"<br>
> > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"<br>
> > Version="2.0"><saml:Issuer<br>
> ><br>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><a href="https://demo-auth.ortolang.fr/auth/realms/ortolang" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang</a></saml:Issuer><samlp:NameIDPolicy<br>
> > AllowCreate="true"<br>
> ><br>
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest><br>
> ><br>
> ><br>
> > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"<br>
> ><br>
> Destination="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" rel="noreferrer" target="_blank">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>"<br>
> > ID="_9d03761957aade819b6823c35bbab278"<br>
> > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"<br>
> > IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer<br>
> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"<br>
> ><br>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><a href="https://janus.cnrs.fr/idp" rel="noreferrer" target="_blank">https://janus.cnrs.fr/idp</a></saml2:Issuer><saml2p:Status><saml2p:StatusCode<br>
> ><br>
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode<br>
> ><br>
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required<br>
> > NameID format not<br>
> > supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response><br>
> ><br>
> ><br>
> > Any help would be gracefully appreciated.<br>
> ><br>
> > Thanks a lot, Jérôme.<br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
</blockquote></div>