[keycloak-dev] SAML users should not be identified by SAML:NameID

Daniel Teixeira ddtxra at gmail.com
Mon Jul 30 09:30:39 EDT 2018


Hello,

Seems like Keycloak always uses the saml:NameID to identify a SAML user.
In org.keycloak.broker.saml.SAMLEndpoint we see:

BrokeredIdentityContext identity = new
BrokeredIdentityContext(subjectNameID.getValue());
...
identity.setUsername(subjectNameID.getValue());

However this is not a good practice, see recommendations here:
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

*SPs MUST NOT require the presence of a <saml:NameID> element and MUST NOT
rely on the content of this element for long term identification of
subjects; <saml:Attribute> elements MUST be used for this purpose in
the *manner
detailed below.

IMO, Keycloak should provide a field when configuring an iDP to choose the
custom attribute to "identify" a user. This can be mail attribute for
example (urn:oid:0.9.2342.19200300.100.1.3). But should not take this
information from saml:NameID

Is there anyway to override this in Keycloak?
Should I create a JIRA issue?

Best regards,
Daniel Teixeira


More information about the keycloak-dev mailing list