Re: [keycloak-dev] SAML users should not be identified by SAML:NameID

Yes, please file a feature request JIRA On Mon, Jul 30, 2018 at 3:33 PM Daniel Teixeira <ddtxra(a)gmail.com&gt; wrote: > Hello, > > Seems like Keycloak always uses the saml:NameID to identify a SAML > user. > In org.keycloak.broker.saml.SAMLEndpoint we see: > > BrokeredIdentityContext identity = new > BrokeredIdentityContext(subjectNameID.getValue()); > ... > identity.setUsername(subjectNameID.getValue()); > > However this is not a good practice, see recommendations here: > https://kantarainitiative.github.io/SAMLprofiles/saml2int.html > > *SPs MUST NOT require the presence of a <saml:NameID> element and > MUST NOT > rely on the content of this element for long term identification of > subjects; <saml:Attribute> elements MUST be used for this purpose > in > the *manner > detailed below. > > IMO, Keycloak should provide a field when configuring an iDP to > choose the > custom attribute to "identify" a user. This can be mail attribute > for > example (urn:oid:0.9.2342.19200300.100.1.3). But should not take > this > information from saml:NameID > > Is there anyway to override this in Keycloak? > Should I create a JIRA issue? > > Best regards, > Daniel Teixeira > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAltfMhsACgkQrGNtyYPQ wPgjvA//VEuBittUNwRDJlr0DTsRmHvMxNZiIh8NQaiz02aLd6Q0H1Su7z4Cpx8q eqNSRYue1r0hWRg/fOxsibWtK2q875iy2J+bT4RaBJyTo/v8vlV39G8kEZcYsjY9 sDcHX/8r/5YnFNdWJt6P5thHyMzIeX5/WLss9XJd9+StG8d9qCc+7a8OZgEv09GO TU9en30ESK6AiBd6LZlXRe2P63l1z35kAtmq2b+fDsc43db+vlcYcdNIbUBa24oc He1foH+0KAM6iqPV0CYsB8pBt/EhELuCU7qAUO2qIVXmYGWNMGS083r/WcaO8/+X r2FYNKF7IRT11km453jOyWUwlYMEA1rVKDb/kQMkakohk798wixdnYm0sSm1BPhQ hnhmWB9jJ/3RTTOj4+o/A9oeftQeVRm2Pv407X5bS6eFTa4dFpvqxSu1dk6GK/Aa 4V6VW64Rs7UiZaRXzJmzQyCvmtdyHdT5hbKlyU+ksEw20RV2agECJhuXxjXLG1hQ KLkpRCYa6jNT76rRNvxpZVqkyRBGMB1myPe6v8hLe6R5mxwTIoW049mFnREXVNFp cWgzAnwSSlNH3wrL+SVNEzb+jBi1fno2i4t29r8uvOPD52aCh7EvybitIvDIFC7S eXzY11neuk4ry9j4VKb2vHadIXXnoUFii3CwBhKf/JVKToy2P2o= =I7Oy -----END PGP SIGNATURE-----