[keycloak-dev] brokerid + subject for brokered username?

Bill Burke bburke at redhat.com
Tue Mar 24 13:54:53 EDT 2015 

I wanted brokerAlias + "." external_username for backchannel logout when 
the external IDP is initiating the logout in the background.  An 
external SAML IDP sends a subject name and optionally a session index. 
These external attributes must be mapped to a UserSession in Keycloak so 
the logout can be performed.  Same sort of thing would need to be done 
for chained keycloak realms.

Its easier to implement if it is  brokerAlias + "." + external_username. 
  It could be implemented by doing a UserSessionModel query by Note 
name/value, but then this would require changes across all the 
sessionModel data stores and eventually would have to be optimized for 
each as well.

On 3/24/2015 1:21 PM, Stian Thorgersen wrote:
> A username like that is pointless IMO.
>
> Using username from broker actually has a pretty high chance of clash, especially for social logins. I very often can't get my preferred username when signing up to sites, and judging on how may saly9581 there are out there that's a common problem. That's why username for social logins used to be a UUID, but was for some reason changed.
>
> For users provisioned through idp logins we should set the username to null, or equal to the user-id. When a user has a null username or username is equal to user-id it should not be displayed in account management, instead we could add an option to allow the user to set the username.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 24 March, 2015 4:58:24 PM
>> Subject: [keycloak-dev] brokerid + subject for brokered username?
>>
>> Although a remote possibility, it might be possible for usernames to
>> clash when there are multiple brokers.  Anybody have a problem with
>> creating usernames of:
>>
>> brokerAlias + "." + external_username
>>
>> ??
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list