[keycloak-dev] SAML users should not be identified by SAML:NameID
Daniel Teixeira
ddtxra at gmail.com
Mon Jul 30 09:30:39 EDT 2018
Hello,
Seems like Keycloak always uses the saml:NameID to identify a SAML user.
In org.keycloak.broker.saml.SAMLEndpoint we see:
BrokeredIdentityContext identity = new
BrokeredIdentityContext(subjectNameID.getValue());
...
identity.setUsername(subjectNameID.getValue());
However this is not a good practice, see recommendations here:
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
*SPs MUST NOT require the presence of a <saml:NameID> element and MUST NOT
rely on the content of this element for long term identification of
subjects; <saml:Attribute> elements MUST be used for this purpose in
the *manner
detailed below.
IMO, Keycloak should provide a field when configuring an iDP to choose the
custom attribute to "identify" a user. This can be mail attribute for
example (urn:oid:0.9.2342.19200300.100.1.3). But should not take this
information from saml:NameID
Is there anyway to override this in Keycloak?
Should I create a JIRA issue?
Best regards,
Daniel Teixeira
More information about the keycloak-dev
mailing list