6:08 p.m.
I am currently using Keycloak 1.1.0.Final, trying to enable SSO between two apps with an
Active Directory user store. I have keycloak connected to the AD directly in my realm and
have sync'ed the users. I can successfully login in to one of my apps. However, the
other app requires an 'email' claim, which is missing. It looks like the AD uses
just 'mail'. Is there any way to make this simple claim mapping in keycloak?
Randall Theobald
Common Engineering - Performance
Dell Software Group | Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald@dell.com> | RR1-C336
8:14 p.m.
Hi,
Currently it's hardcoded so that LDAP attribute "mail" is mapped to
UserModel.email property. We have opened JIRA for dynamic mappings of
attributes from LDAP to the user attributes/properties and I hope to
start on it later this month.
However it looks that for your case, hardcoded mapping should be
sufficient for the email property. When you synced users, are you seeing
in admin console that synced users have filled email from the Active
Directory? If yes, then only issue is maybe propagating the email value
as attribute in the SAML response. Bill is working on protocol mappers
and this use-case is handled by it AFAIK. You can try latest Keycloak
master though.
Marek
On 11.3.2015 18:08, Randall_Theobald(a)dell.com wrote:
I am currently using Keycloak 1.1.0.Final, trying to enable SSO
between two apps with an Active Directory user store. I have keycloak
connected to the AD directly in my realm and have sync’ed the users. I
can successfully login in to one of my apps. However, the other app
requires an ‘email’ claim, which is missing. It looks like the AD uses
just ‘mail’. Is there any way to make this simple claim mapping in
keycloak?
*Randall Theobald *
Common Engineering– Performance
Dell Software Group | Office of the CTO
randall_theobald at dell.com <mailto:randall_theobald@dell.com> |
RR1-C336
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:48 p.m.
Dell Customer Communication
Yes, I captured the SAMLResponse from Keycloak and it is behaving properly. Turned out the
receiving app wasn't parsing the SAMLResponse correctly. Thanks,
Randall Theobald
Common Engineering - Performance
Dell Software Group | Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald@dell.com> | RR1-C336
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Wednesday, March 11, 2015 2:15 PM
To: Theobald, Randall; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] SAML claim/user attribute mapping from LDAP integration
Hi,
Currently it's hardcoded so that LDAP attribute "mail" is mapped to
UserModel.email property. We have opened JIRA for dynamic mappings of attributes from LDAP
to the user attributes/properties and I hope to start on it later this month.
However it looks that for your case, hardcoded mapping should be sufficient for the email
property. When you synced users, are you seeing in admin console that synced users have
filled email from the Active Directory? If yes, then only issue is maybe propagating the
email value as attribute in the SAML response. Bill is working on protocol mappers and
this use-case is handled by it AFAIK. You can try latest Keycloak master though.
Marek
On 11.3.2015 18:08, Randall_Theobald@dell.com<mailto:Randall_Theobald@dell.com>
wrote:
I am currently using Keycloak 1.1.0.Final, trying to enable SSO between two apps with an
Active Directory user store. I have keycloak connected to the AD directly in my realm and
have sync'ed the users. I can successfully login in to one of my apps. However, the
other app requires an 'email' claim, which is missing. It looks like the AD uses
just 'mail'. Is there any way to make this simple claim mapping in keycloak?
Randall Theobald
Common Engineering - Performance
Dell Software Group | Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald@dell.com> | RR1-C336
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
3327
days inactive
3327
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
Randall_Theobald@dell.com