Re: [keycloak-user] SAML Custom Attribute NameID
Hi,
Currently, KeyCloak doesn't support this feature. We end up implementing a
custom protocol mapper to support this feature. It is something like this.
public class SAMLLoginResponseMapperExtension extends
AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
...................
public ResponseType transformLoginResponse(ResponseType response,
ProtocolMapperModel mappingModel,
KeycloakSession session, UserSessionModel userSession, ClientSessionModel
clientSession) {
// if the attributeName is configured, read the value from the user
// model
String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE);
if (StringUtils.isNotBlank(attributeName)) {
UserModel user = userSession.getUser();
if (StringUtils.indexOfAny(attributeName, new String[] { "firstName",
"lastName", "username" }) != -1) {
attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName);
} else {
attributeValue = KeycloakModelUtils.resolveFirstAttribute(user,
attributeName);
}
}
for (RTChoiceType rtChoiceType : response.getAssertions()) {
NameIDType nameIDType = (NameIDType)
rtChoiceType.getAssertion().getSubject().getSubType().getBaseID();
nameIDType.setValue(attributeValue);
}
return response;
}
..................
}
Regards,
Muein
On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily <adam.keily(a)adelaide.edu.au>
wrote:
Can anyone direct me on how to configure a custom attribute as the
SubjectNameID for a SAML2 client? The format will be username but I want to
use a custom attribute and not the username of the user.
I've tried various mapping configurations but they just get sent as
attributes alongside the subject nameid.
Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user