Re: [keycloak-dev] Claims Mapping and Identity Federation

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Friday, February 20, 2015 8:48:53 PM > Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation > > > > On 2/20/2015 11:07 AM, Pedro Igor Silva wrote: >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: keycloak-dev(a)lists.jboss.org >>> Sent: Friday, February 20, 2015 1:36:31 PM >>> Subject: Re: [keycloak-dev] Claims Mapping and Identity Federation >>> >> >> I'm not sure if you really need something different for SAML. The reason is >> that we can just ask users if what they want to use 'Name' or 'Friendly >> Name'. >> >> At that end, that is what really matter, right ? Just know the name of the >> attribute to map to an internal one. >> > > From looking at SAML document it looks like you can have a attribute > name types (uri, basic, and unspecified). I'm not sure of the > difference between basic and unspecified. Do you? AFAIK these are about how you interpret attributes. I think you can just ignore that in this case. You are more interested in map names than deal on how they should be interpreted. Users will probably know what they are mapping. > > Then "Friendly Name" is optional. Yeah it is optional, but you can have something like that: <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> In this case, it is much easier to use FriendlyName when mapping than what is in Name. See, here there is an usage of NameFormat, in this case uri. We can just ignore ... If I'm correct about what you are doing, users will just say: Get "mail" from SAML Assertion and create a "email" claim in Keycloak.