7:19 a.m.
Following up here, we’re still running into this issue. Without the ability to map IDP
identifiers to user attributes (and then inject that attribute into the access token),
migrating from single-IDP auth to Keycloak-brokered auth becomes fairly difficult, as
existing data stores still use the original IDP’s identifier.
Any thoughts or pointers to relevant documentation are much appreciated.
Garret Ruh
On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Ruh,
Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of
garret.ruh(a)optum.com> wrote:
Context: Using Keycloak as an OpenID Connect identity broker, and onboarding an IDP.
Is it possible to map a provider user ID (from an OpenID Connect identity provider –
so the value in the sub claim) to a user attribute? Have attempted using an
"Attribute Importer" mapper w/ claim "sub" to no avail. End goal is to
include that attribute (if it exists) in generated access tokens so that applications can
still reference the provider user ID during a transitional period.
Seems like it’d be a pretty common use case, so apologies if this has been asked and
answered before. Could be missing the applicable search term(s).
Regards,
Garret Ruh
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
8:59 a.m.
New subject: Mapping provider user ID to user attribute
Hi, i've been looking at similar recently. It is possible.
if you have achieved to the point where you can see the value from the
identity provider token as an attribute in the broker user, then the last
step is to add a mapper on the client to add this attribute as a claim.
Regards,
Simon.
On Wed, Oct 25, 2017 at 1:19 PM, Ruh, Garret <garret.ruh(a)optum.com> wrote:
Following up here, we’re still running into this issue. Without the
ability to map IDP identifiers to user attributes (and then inject that
attribute into the access token), migrating from single-IDP auth to
Keycloak-brokered auth becomes fairly difficult, as existing data stores
still use the original IDP’s identifier.
Any thoughts or pointers to relevant documentation are much appreciated.
Garret Ruh
On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Ruh, Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of
garret.ruh(a)optum.com> wrote:
Context: Using Keycloak as an OpenID Connect identity broker, and
onboarding an IDP.
Is it possible to map a provider user ID (from an OpenID Connect
identity provider – so the value in the sub claim) to a user attribute?
Have attempted using an "Attribute Importer" mapper w/ claim "sub" to
no
avail. End goal is to include that attribute (if it exists) in generated
access tokens so that applications can still reference the provider user ID
during a transitional period.
Seems like it’d be a pretty common use case, so apologies if this has
been asked and answered before. Could be missing the applicable search
term(s).
Regards,
Garret Ruh
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the
intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify
the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:31 a.m.
New subject: Mapping provider user ID to user attribute
It’s that first step (mapping the provider user ID to an attribute) we’re having trouble
with. We’ve successfully got a mapper set up to put the attribute into the access token.
On 10/25/17, 10:05 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Simon
Payne" <keycloak-user-bounces(a)lists.jboss.org on behalf of
simonpayne58(a)gmail.com> wrote:
Hi, i've been looking at similar recently. It is possible.
if you have achieved to the point where you can see the value from the
identity provider token as an attribute in the broker user, then the last
step is to add a mapper on the client to add this attribute as a claim.
Regards,
Simon.
On Wed, Oct 25, 2017 at 1:19 PM, Ruh, Garret <garret.ruh(a)optum.com> wrote:
Following up here, we’re still running into this issue. Without the
ability to map IDP identifiers to user attributes (and then inject that
attribute into the access token), migrating from single-IDP auth to
Keycloak-brokered auth becomes fairly difficult, as existing data stores
still use the original IDP’s identifier.
Any thoughts or pointers to relevant documentation are much appreciated.
Garret Ruh
On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Ruh, Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of
garret.ruh(a)optum.com> wrote:
Context: Using Keycloak as an OpenID Connect identity broker, and
onboarding an IDP.
Is it possible to map a provider user ID (from an OpenID Connect
identity provider – so the value in the sub claim) to a user attribute?
Have attempted using an "Attribute Importer" mapper w/ claim "sub" to
no
avail. End goal is to include that attribute (if it exists) in generated
access tokens so that applications can still reference the provider user ID
during a transitional period.
Seems like it’d be a pretty common use case, so apologies if this has
been asked and answered before. Could be missing the applicable search
term(s).
Regards,
Garret Ruh
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the
intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify
the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
7:57 a.m.
New subject: Mapping provider user ID to user attribute
I ran your example and was able to add sub as an attribute on the user this
way
1 - make sure you have the userinfo endpoint configured on identity provider
2 - and an attribute importer configured on your identity provider. my
mapper linked claim= sub to user attribute name = sub.
I deleted the user several times to test so not 100% sure that it isnt
linked to first broker login - but you should get some results.
I don't know whether you've tried this already, but if you add the
following to your standalone.xml it will log the user profile json to the
server.log. This is useful for debugging mappers etc.
<logger category="org.keycloak.social.user_profile_dump">
<level name="DEBUG"/>
</logger>
Simon.
On Thu, Oct 26, 2017 at 12:31 PM, Ruh, Garret <garret.ruh(a)optum.com> wrote:
It’s that first step (mapping the provider user ID to an attribute)
we’re
having trouble with. We’ve successfully got a mapper set up to put the
attribute into the access token.
On 10/25/17, 10:05 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf
of Simon Payne" <keycloak-user-bounces(a)lists.jboss.org on behalf of
simonpayne58(a)gmail.com> wrote:
Hi, i've been looking at similar recently. It is possible.
if you have achieved to the point where you can see the value from the
identity provider token as an attribute in the broker user, then the
last
step is to add a mapper on the client to add this attribute as a claim.
Regards,
Simon.
On Wed, Oct 25, 2017 at 1:19 PM, Ruh, Garret <garret.ruh(a)optum.com>
wrote:
> Following up here, we’re still running into this issue. Without the
> ability to map IDP identifiers to user attributes (and then inject
that
> attribute into the access token), migrating from single-IDP auth to
> Keycloak-brokered auth becomes fairly difficult, as existing data
stores
> still use the original IDP’s identifier.
>
> Any thoughts or pointers to relevant documentation are much
appreciated.
>
>
> Garret Ruh
>
> On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on
behalf of
> Ruh, Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of
> garret.ruh(a)optum.com> wrote:
>
> Context: Using Keycloak as an OpenID Connect identity broker, and
> onboarding an IDP.
>
> Is it possible to map a provider user ID (from an OpenID Connect
> identity provider – so the value in the sub claim) to a user
attribute?
> Have attempted using an "Attribute Importer" mapper w/ claim
"sub"
to no
> avail. End goal is to include that attribute (if it exists) in
generated
> access tokens so that applications can still reference the provider
user ID
> during a transitional period.
>
> Seems like it’d be a pretty common use case, so apologies if
this has
> been asked and answered before. Could be missing the applicable
search
> term(s).
>
>
> Regards,
> Garret Ruh
>
> This e-mail, including attachments, may include confidential
and/or
> proprietary information, and may be used only by the person or
entity
> to which it is addressed. If the reader of this e-mail is not the
> intended
> recipient or his or her authorized agent, the reader is hereby
notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please
notify
> the
> sender by replying to this message and delete this e-mail
immediately.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the
intended
> recipient or his or her authorized agent, the reader is hereby
notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify
the
> sender by replying to this message and delete this e-mail
immediately.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2618
days inactive
2619
days old
3 comments
2 participants
participants (2)
-
Ruh, Garret -
Simon Payne