The authenticator can add the value to the user session, which can be used
by a protocol mapper. Thinking about it I'm not sure if it's actually
possible to override the NameID from a protocol mapper.
Bill - wdyt?
On 5 September 2016 at 16:06, Rashmi Singh <singhrasster(a)gmail.com> wrote:
I apologize for sending reminders. I was just not sure if my query
somehow missed from being read. So, I was only trying to assure that its
not getting missed/lost since responses to my earlier questions used to be
pretty quick. But, I am sorry if it sounded impatient though. We will
definitely look into the higher level of support as you indicated.
Meanwhile, with regard to your response to my query, My keycloak app calls
an external TokenValidator for authentication. This TokenValidator returns
an SP specific username. So, the NameID value in the SAML response need to
be handled in the "application code" and the value needs to be changed to
the value returned from the TokenValidator during authentication. I think
using the protocol mapper, its a one time change with a certian value? But,
in my setup, everytime, as part f authentication, my keycloak app calls an
external tokenValidator service which will return a certain value (this
value is not fixed, it could be different each time depending on various
factors, example, the user passed in authentication, the settings on the
So, I believe it needs to be handled in the code dynamically for each
authentication, so when a SAML response is created on keycloak (I am not
sure where and how its done internally by keycloak though), we need to be
able to write some code that can be used to edit the NameID in the SAML
response with a dynamic value that we fetched from a call to an external
service (TokenValidator) during that specific authentication. I hope my
question is more clear now. Let me know if not.
On Mon, Sep 5, 2016 at 1:49 AM, Stian Thorgersen <sthorger(a)redhat.com>
> This is a free community forum so please be patient. We are not always
> able to provide an answer straight away. If you are interested in a higher
> level of support please consider our supported option
> I'm not quite following what your setup is, but you can modify the SAML
> assertions through protocol mappers for the client in the Keycloak admin
> On 2 September 2016 at 07:11, Rashmi Singh <singhrasster(a)gmail.com>
>> Can someone please give some pointers on if this is even possible? If
>> yes, then what needs to be done for this?
>> Its an urgent requirement for us, so any help on this will be very much
>> On Wed, Aug 31, 2016 at 8:28 AM, Rashmi Singh <singhrasster(a)gmail.com>
>>> Any help on this?
>>> On Mon, Aug 29, 2016 at 9:32 PM, Rashmi Singh <singhrasster(a)gmail.com>
>>>> I have a keycloak app that calls an external TokenValidator for
>>>> authentication. This TokenValidator returns a SP specific username value.
>>>> want my SAML response to contain this value in the NameID field. My
>>>> question is how do I edit the SAML response to change the value in
>>>> field to this value?
>>>> Any insight into how to edit the NameID field in the SAML response?
>> keycloak-dev mailing list