[keycloak-dev] Edit value contained in NameID field of SAML response

Rashmi Singh singhrasster at gmail.com
Mon Sep 5 10:06:27 EDT 2016

I apologize for sending reminders. I was just not sure if my query was
somehow missed from being read. So, I was only trying to assure that its
not getting missed/lost since responses to my earlier questions used to be
pretty quick. But, I am sorry if it sounded impatient though. We will
definitely look into the higher level of support as you indicated.

Meanwhile, with regard to your response to my query, My keycloak app calls
an external TokenValidator for authentication. This TokenValidator returns
an SP specific username. So, the NameID value in the SAML response need to
be handled in the "application code" and the value needs to be changed to
the value returned from the TokenValidator during authentication. I think
using the protocol mapper, its a one time change with a certian value? But,
in my setup, everytime, as part f authentication, my keycloak app calls an
external tokenValidator service which will return a certain value (this
value is not fixed, it could be different each time depending on various
factors, example, the user passed in authentication, the settings on the
TokenValidator etc).

So, I believe it needs to be handled in the code dynamically for each
authentication, so when a SAML response is created on keycloak (I am not
sure where and how its done internally by keycloak though), we need to be
able to write some code that can be used to edit the NameID in the SAML
response with a dynamic value that we fetched from a call to an external
service (TokenValidator) during that specific authentication. I hope my
question is more clear now. Let me know if not.

On Mon, Sep 5, 2016 at 1:49 AM, Stian Thorgersen <sthorger at redhat.com>

> This is a free community forum so please be patient. We are not always
> able to provide an answer straight away. If you are interested in a higher
> level of support please consider our supported option
> https://access.redhat.com/products/red-hat-single-sign-on.
> I'm not quite following what your setup is, but you can modify the SAML
> assertions through protocol mappers for the client in the Keycloak admin
> console.
> On 2 September 2016 at 07:11, Rashmi Singh <singhrasster at gmail.com> wrote:
>> Can someone please give some pointers on if this is even possible? If
>> yes, then what needs to be done for this?
>> Its an urgent requirement for us, so any help on this will be very much
>> appreciated.
>> On Wed, Aug 31, 2016 at 8:28 AM, Rashmi Singh <singhrasster at gmail.com>
>> wrote:
>>> Any help on this?
>>> On Mon, Aug 29, 2016 at 9:32 PM, Rashmi Singh <singhrasster at gmail.com>
>>> wrote:
>>>> I have a keycloak app that calls an external TokenValidator for
>>>> authentication. This TokenValidator returns a SP specific username value. I
>>>> want my SAML response to contain this value in the NameID field. My
>>>> question is how do I edit the SAML response to change the value in NameID
>>>> field to this value?
>>>> Any insight into how to edit the NameID field in the SAML response?
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160905/c6980c1a/attachment-0001.html 

More information about the keycloak-dev mailing list