[keycloak-dev] Edit value contained in NameID field of SAML response

Stian Thorgersen sthorger at redhat.com
Wed Sep 7 08:37:20 EDT 2016

The authenticator can add the value to the user session, which can be used
by a protocol mapper. Thinking about it I'm not sure if it's actually
possible to override the NameID from a protocol mapper.

Bill - wdyt?

On 5 September 2016 at 16:06, Rashmi Singh <singhrasster at gmail.com> wrote:

> I apologize for sending reminders. I was just not sure if my query was
> somehow missed from being read. So, I was only trying to assure that its
> not getting missed/lost since responses to my earlier questions used to be
> pretty quick. But, I am sorry if it sounded impatient though. We will
> definitely look into the higher level of support as you indicated.
> Meanwhile, with regard to your response to my query, My keycloak app calls
> an external TokenValidator for authentication. This TokenValidator returns
> an SP specific username. So, the NameID value in the SAML response need to
> be handled in the "application code" and the value needs to be changed to
> the value returned from the TokenValidator during authentication. I think
> using the protocol mapper, its a one time change with a certian value? But,
> in my setup, everytime, as part f authentication, my keycloak app calls an
> external tokenValidator service which will return a certain value (this
> value is not fixed, it could be different each time depending on various
> factors, example, the user passed in authentication, the settings on the
> TokenValidator etc).
> So, I believe it needs to be handled in the code dynamically for each
> authentication, so when a SAML response is created on keycloak (I am not
> sure where and how its done internally by keycloak though), we need to be
> able to write some code that can be used to edit the NameID in the SAML
> response with a dynamic value that we fetched from a call to an external
> service (TokenValidator) during that specific authentication. I hope my
> question is more clear now. Let me know if not.
> On Mon, Sep 5, 2016 at 1:49 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>> This is a free community forum so please be patient. We are not always
>> able to provide an answer straight away. If you are interested in a higher
>> level of support please consider our supported option
>> https://access.redhat.com/products/red-hat-single-sign-on.
>> I'm not quite following what your setup is, but you can modify the SAML
>> assertions through protocol mappers for the client in the Keycloak admin
>> console.
>> On 2 September 2016 at 07:11, Rashmi Singh <singhrasster at gmail.com>
>> wrote:
>>> Can someone please give some pointers on if this is even possible? If
>>> yes, then what needs to be done for this?
>>> Its an urgent requirement for us, so any help on this will be very much
>>> appreciated.
>>> On Wed, Aug 31, 2016 at 8:28 AM, Rashmi Singh <singhrasster at gmail.com>
>>> wrote:
>>>> Any help on this?
>>>> On Mon, Aug 29, 2016 at 9:32 PM, Rashmi Singh <singhrasster at gmail.com>
>>>> wrote:
>>>>> I have a keycloak app that calls an external TokenValidator for
>>>>> authentication. This TokenValidator returns a SP specific username value. I
>>>>> want my SAML response to contain this value in the NameID field. My
>>>>> question is how do I edit the SAML response to change the value in NameID
>>>>> field to this value?
>>>>> Any insight into how to edit the NameID field in the SAML response?
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160907/4c0ca8ba/attachment-0001.html 

More information about the keycloak-dev mailing list