Re: [keycloak-user] SAML Custom Attribute NameID

Thursday, 2 March 2017

Thanks Muein. I’ll investigate using the custom mapper as you describe. Much
appreciated.

Adam

From: shmuein(a)gmail.com [mailto:shmuein@gmail.com] On Behalf Of Muein Muzamil
Sent: Friday, 3 March 2017 2:12 AM
To: Adam Keily <adam.keily(a)adelaide.edu.au&gt;
Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt;
Subject: Re: [keycloak-user] SAML Custom Attribute NameID

Hi,

Currently, KeyCloak doesn't support this feature. We end up implementing a custom
protocol mapper to support this feature. It is something like this.

public class SAMLLoginResponseMapperExtension extends AbstractSAMLProtocolMapper
implements SAMLLoginResponseMapper {
...................
            public ResponseType transformLoginResponse(ResponseType response,
ProtocolMapperModel mappingModel,
                                    KeycloakSession session, UserSessionModel userSession,
ClientSessionModel clientSession) {

                        // if the attributeName is configured, read the value from the
user
                        // model
                        String attributeName =
mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE);
                        if (StringUtils.isNotBlank(attributeName)) {
                                    UserModel user = userSession.getUser();
                                    if (StringUtils.indexOfAny(attributeName, new String[]
{ "firstName", "lastName", "username" }) != -1) {
                                                attributeValue =
ProtocolMapperUtils.getUserModelValue(user, attributeName);
                                    } else {
                                                attributeValue =
KeycloakModelUtils.resolveFirstAttribute(user, attributeName);
                                    }
                        }

                        for (RTChoiceType rtChoiceType : response.getAssertions()) {
                                    NameIDType nameIDType = (NameIDType)
rtChoiceType.getAssertion().getSubject().getSubType().getBaseID();
                                    nameIDType.setValue(attributeValue);
                        }

                        return response;
            }
..................
}

Regards,
Muein

On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily
<adam.keily@adelaide.edu.au<mailto:adam.keily@adelaide.edu.au>> wrote:
Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a
SAML2 client? The format will be username but I want to use a custom attribute and not the
username of the user.

I've tried various mapping configurations but they just get sent as attributes
alongside the subject nameid.

Thanks

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] SAML Custom Attribute NameID