Re: [keycloak-user] Map SAML Subject NameID to user email
Hi Jared,
setting the Name ID Format does not set the NameID field value to the email
address of the user model. Whatever I set it to, the only value I can see
in the SAML response is the realm users username.
Thanks for pointing to the persistent Name ID configuration. Just to
confirm, to make this work, one will also have to configure a Property
Mapper in the SAML Client configuration with following details:
Protocol: saml
Name: Swap NameID username for email
Consent Required: off
Mapper Type: User Attribute
User Attribute: email
Friendly Name: Email
SAML Attribute Name: saml.persistent.name.id.for.$clientId
SAML Attribute NameFormat: Unspecified
Does that look about right?
Thanks,
Niels
On Sat, Oct 15, 2016 at 12:54 AM, Jared Blashka <jblashka(a)redhat.com> wrote:
Does setting the 'Name ID Format' option to email in the
client settings
not accomplish what you're looking for? That's supposed to use the user's
email address as the NameID.
Failing that, I know that if you use the 'persistent' Name ID format you
can set an attribute of saml.persistent.name.id.for.$clientId for a user
adnd the value of that field gets used as the NameID.
Jared
On Thu, Oct 13, 2016 at 10:31 PM, Niels Bertram <nielsbne(a)gmail.com>
wrote:
> Hi guys,
>
> I have a requirement to map a user email to the /saml:Subject/saml:NameID
> field in a Keycloak SAML client. I can see that someone else is asking for
> the same at
> http://stackoverflow.com/questions/39854398/sending-username
> -emailid-in-the-saml-req-as-nameid-to-keycloak
> without much luck. The mapper only maps attributes while I need to change
> the subjects identifier.
>
> Could anyone help with a thought on how that can be achieved?
>
> Many thanks,
> Niels
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>