[keycloak-dev] Proposal: more flexible brokered identity with SAML IdP

Dmitry Telegin demetrio at carretti.pro
Thu Apr 25 09:35:09 EDT 2019


Hi John,

Yes, we have tried all the possible NameID policies. They are honored by the IdP, but none of them result in predictable NameID.

Moreover, identifying users by NameID is against Kantara recommendations, and we even have an issue in JIRA for that, please see my recent reply for the details.

Regards,
Dmitry

On Thu, 2019-04-25 at 09:26 -0400, John Dennis wrote:
> On 4/18/19 7:18 PM, Dmitry Telegin wrote:
> > Currently, it is hardcoded [1] that FederatedIdentity's userId and
> > userName should be taken verbatim from SAML assertion's NameID value
> > (via intermediary BrokeredIdentityContext). The problem is that most
> > SAML IdPs provide meaningless NameIDs, like hashes or purely random
> > strings. In general, SAML NameID is not predictable.
> 
> Predictable NameID's are possible with SAML but to get them you must 
> specify the desired NameIDPolicy in the request and the IdP must be 
> capable of honoring that request. Have you determined the IdP's being 
> utilized are incapable of honoring a NameIDPolicy of your choice?
> 


More information about the keycloak-dev mailing list