Re: [keycloak-dev] Proposal: more flexible brokered identity with SAML IdP
On 4/18/19 7:18 PM, Dmitry Telegin wrote:
Currently, it is hardcoded [1] that FederatedIdentity's userId
and
userName should be taken verbatim from SAML assertion's NameID value
(via intermediary BrokeredIdentityContext). The problem is that most
SAML IdPs provide meaningless NameIDs, like hashes or purely random
strings. In general, SAML NameID is not predictable.
Predictable NameID's are possible with SAML but to get them you must
specify the desired NameIDPolicy in the request and the IdP must be
capable of honoring that request. Have you determined the IdP's being
utilized are incapable of honoring a NameIDPolicy of your choice?
--
John Dennis