[keycloak-dev] Proposal: more flexible brokered identity with SAML IdP
John Dennis
jdennis at redhat.com
Thu Apr 25 09:26:37 EDT 2019
On 4/18/19 7:18 PM, Dmitry Telegin wrote:
> Currently, it is hardcoded [1] that FederatedIdentity's userId and
> userName should be taken verbatim from SAML assertion's NameID value
> (via intermediary BrokeredIdentityContext). The problem is that most
> SAML IdPs provide meaningless NameIDs, like hashes or purely random
> strings. In general, SAML NameID is not predictable.
Predictable NameID's are possible with SAML but to get them you must
specify the desired NameIDPolicy in the request and the IdP must be
capable of honoring that request. Have you determined the IdP's being
utilized are incapable of honoring a NameIDPolicy of your choice?
--
John Dennis
More information about the keycloak-dev
mailing list