7:01 a.m.
Hi,
we are still evaluating keycloak vs. simplesamlphp.
What we find quite convenient using simplesamlphp is this authentication
processing attributealter possibility:
https://simplesamlphp.org/docs/stable/core:authproc_attributealter
Using this especially with the feature to be able to use regex pattern
matching it is quite easy to combine/construct certain SAML attributes
in the way the SP needs it.
For example we could add a fixed top level domain to the IDPEmail
Attribute, where the SP needs it in the syntax username(a)domain.tld
instead of username as retrieved by our LDAP backend system.
One real example from our current simplesamlphp configuration:
30 => array(
'class' => 'core:AttributeAlter',
'subject' => 'uid',
'pattern' => '/([a-z]+)/',
'replacement' => '\1(a)domain.tld',
'target' => 'IDPEmail',
),
I could not find any similar feature within keycloak or did I just
overseen it?
Cheers Jonas
7:22 a.m.
It's not there yet. Similar functionality has already been requested
in [1]. Could you please comment on your use expected case there and
if interested, vote for it?
Thanks
--Hynek
[1] https://issues.jboss.org/browse/KEYCLOAK-4781
On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller <jw(a)blue-yonder.com> wrote:
Hi,
we are still evaluating keycloak vs. simplesamlphp.
What we find quite convenient using simplesamlphp is this authentication
processing attributealter possibility:
https://simplesamlphp.org/docs/stable/core:authproc_attributealter
Using this especially with the feature to be able to use regex pattern
matching it is quite easy to combine/construct certain SAML attributes
in the way the SP needs it.
For example we could add a fixed top level domain to the IDPEmail
Attribute, where the SP needs it in the syntax username(a)domain.tld
instead of username as retrieved by our LDAP backend system.
One real example from our current simplesamlphp configuration:
30 => array(
'class' => 'core:AttributeAlter',
'subject' => 'uid',
'pattern' => '/([a-z]+)/',
'replacement' => '\1(a)domain.tld',
'target' => 'IDPEmail',
),
I could not find any similar feature within keycloak or did I just
overseen it?
Cheers Jonas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
7:15 a.m.
I looked into the PR and it looks like, that this PR is primarily for a
broker configuration, whereas I need it as a "User Federation => Ldap =>
LDAP Mappers" mapper.
@Hynek: Will this mapper be easy adaptable to the LDAP mappers as well?
Cheers Jonas
On 10/06/17 14:22, Hynek Mlnarik wrote:
It's not there yet. Similar functionality has already been
requested
in [1]. Could you please comment on your use expected case there and
if interested, vote for it?
Thanks
--Hynek
[1] https://issues.jboss.org/browse/KEYCLOAK-4781
On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller <jw(a)blue-yonder.com> wrote:
> Hi,
>
> we are still evaluating keycloak vs. simplesamlphp.
>
> What we find quite convenient using simplesamlphp is this authentication
> processing attributealter possibility:
>
> https://simplesamlphp.org/docs/stable/core:authproc_attributealter
>
> Using this especially with the feature to be able to use regex pattern
> matching it is quite easy to combine/construct certain SAML attributes
> in the way the SP needs it.
>
> For example we could add a fixed top level domain to the IDPEmail
> Attribute, where the SP needs it in the syntax username(a)domain.tld
> instead of username as retrieved by our LDAP backend system.
>
> One real example from our current simplesamlphp configuration:
>
> 30 => array(
> 'class' => 'core:AttributeAlter',
> 'subject' => 'uid',
> 'pattern' => '/([a-z]+)/',
> 'replacement' => '\1(a)domain.tld',
> 'target' => 'IDPEmail',
> ),
>
>
> I could not find any similar feature within keycloak or did I just
> overseen it?
>
> Cheers Jonas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
1:52 p.m.
Might not be easily adaptable but I see the value of such a mapper in both
areas (both broker and LDAP), and when being developed, it would be nice to
provide same feature set. Hence feel free to either add a comment to
KEYCLOAK-4781 or file a new feature request linked to the same JIRA.
Thanks
--Hynek
On Fri, Oct 13, 2017 at 2:15 PM, Jonas Weismueller <jw(a)blue-yonder.com>
wrote:
I looked into the PR and it looks like, that this PR is primarily for
a
broker configuration, whereas I need it as a "User Federation => Ldap =>
LDAP Mappers" mapper.
@Hynek: Will this mapper be easy adaptable to the LDAP mappers as well?
Cheers Jonas
On 10/06/17 14:22, Hynek Mlnarik wrote:
> It's not there yet. Similar functionality has already been requested
> in [1]. Could you please comment on your use expected case there and
> if interested, vote for it?
>
> Thanks
>
> --Hynek
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-4781
>
> On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller <jw(a)blue-yonder.com>
> wrote:
>
>> Hi,
>>
>> we are still evaluating keycloak vs. simplesamlphp.
>>
>> What we find quite convenient using simplesamlphp is this authentication
>> processing attributealter possibility:
>>
>> https://simplesamlphp.org/docs/stable/core:authproc_attributealter
>>
>> Using this especially with the feature to be able to use regex pattern
>> matching it is quite easy to combine/construct certain SAML attributes
>> in the way the SP needs it.
>>
>> For example we could add a fixed top level domain to the IDPEmail
>> Attribute, where the SP needs it in the syntax username(a)domain.tld
>> instead of username as retrieved by our LDAP backend system.
>>
>> One real example from our current simplesamlphp configuration:
>>
>> 30 => array(
>> 'class' => 'core:AttributeAlter',
>> 'subject' => 'uid',
>> 'pattern' => '/([a-z]+)/',
>> 'replacement' => '\1(a)domain.tld',
>> 'target' => 'IDPEmail',
>> ),
>>
>>
>> I could not find any similar feature within keycloak or did I just
>> overseen it?
>>
>> Cheers Jonas
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
--
--Hynek
2649
days inactive
2656
days old
3 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Jonas Weismueller