[keycloak-dev] SAML users should not be identified by SAML:NameID

Daniel Teixeira ddtxra at gmail.com
Mon Jul 30 16:38:09 EDT 2018


Thank you for your positive feedback, issue created here:
https://issues.jboss.org/browse/KEYCLOAK-7969


On Mon, Jul 30, 2018 at 5:43 PM, Josh Cain <jcain at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> +1 for this, we're going to need it.
>
> On Mon, 2018-07-30 at 17:06 +0200, Hynek Mlnarik wrote:
> > Yes, please file a feature request JIRA
> >
> > On Mon, Jul 30, 2018 at 3:33 PM Daniel Teixeira <ddtxra at gmail.com>
> > wrote:
> >
> > > Hello,
> > >
> > > Seems like Keycloak always uses the saml:NameID to identify a SAML
> > > user.
> > > In org.keycloak.broker.saml.SAMLEndpoint we see:
> > >
> > > BrokeredIdentityContext identity = new
> > > BrokeredIdentityContext(subjectNameID.getValue());
> > > ...
> > > identity.setUsername(subjectNameID.getValue());
> > >
> > > However this is not a good practice, see recommendations here:
> > > https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
> > >
> > > *SPs MUST NOT require the presence of a <saml:NameID> element and
> > > MUST NOT
> > > rely on the content of this element for long term identification of
> > > subjects; <saml:Attribute> elements MUST be used for this purpose
> > > in
> > > the *manner
> > > detailed below.
> > >
> > > IMO, Keycloak should provide a field when configuring an iDP to
> > > choose the
> > > custom attribute to "identify" a user. This can be mail attribute
> > > for
> > > example (urn:oid:0.9.2342.19200300.100.1.3). But should not take
> > > this
> > > information from saml:NameID
> > >
> > > Is there anyway to override this in Keycloak?
> > > Should I create a JIRA issue?
> > >
> > > Best regards,
> > > Daniel Teixeira
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAltfMhsACgkQrGNtyYPQ
> wPgjvA//VEuBittUNwRDJlr0DTsRmHvMxNZiIh8NQaiz02aLd6Q0H1Su7z4Cpx8q
> eqNSRYue1r0hWRg/fOxsibWtK2q875iy2J+bT4RaBJyTo/v8vlV39G8kEZcYsjY9
> sDcHX/8r/5YnFNdWJt6P5thHyMzIeX5/WLss9XJd9+StG8d9qCc+7a8OZgEv09GO
> TU9en30ESK6AiBd6LZlXRe2P63l1z35kAtmq2b+fDsc43db+vlcYcdNIbUBa24oc
> He1foH+0KAM6iqPV0CYsB8pBt/EhELuCU7qAUO2qIVXmYGWNMGS083r/WcaO8/+X
> r2FYNKF7IRT11km453jOyWUwlYMEA1rVKDb/kQMkakohk798wixdnYm0sSm1BPhQ
> hnhmWB9jJ/3RTTOj4+o/A9oeftQeVRm2Pv407X5bS6eFTa4dFpvqxSu1dk6GK/Aa
> 4V6VW64Rs7UiZaRXzJmzQyCvmtdyHdT5hbKlyU+ksEw20RV2agECJhuXxjXLG1hQ
> KLkpRCYa6jNT76rRNvxpZVqkyRBGMB1myPe6v8hLe6R5mxwTIoW049mFnREXVNFp
> cWgzAnwSSlNH3wrL+SVNEzb+jBi1fno2i4t29r8uvOPD52aCh7EvybitIvDIFC7S
> eXzY11neuk4ry9j4VKb2vHadIXXnoUFii3CwBhKf/JVKToy2P2o=
> =I7Oy
> -----END PGP SIGNATURE-----
>
>


-- 
Daniel Teixeira


More information about the keycloak-dev mailing list