[keycloak-user] User ID should be used as "user reference" not username
Bill Burke
bburke at redhat.com
Tue Mar 31 20:20:08 EDT 2015
In picketlink.xml, set the NAMEID_FORMAT desired i.e.:
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT"
Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</Handler>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
For persistent, a user attribute is generated:
saml.persistent.name.id.for.<APPLICATION_NAME> = random UUID
On 3/31/2015 5:06 PM, Chen Keong Yap wrote:
> Hi bill,
>
> Thanks for the reply. For option 1, how can we make the random userid
> associated with the keycloak session?
>
> For option 2, how can we implement this?
>
> Please share your ideas. Thanks
>
> On Mar 31, 2015 10:29 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> You need to configure PL SP Filter correctly. PL SP Filter, by default
> asks for the "transient" nameid format which is a temporary randomly
> generated userid that is not stored or associated with the Keycloak
> session. Other options include:
>
> persistent - randomly generated, but associated with the application
> email
> unspecified (which Keycloak will send the username instead).
>
>
>
> On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
> > Hi leornardo,
> >
> > My application is running on websphere app server and the only
> way to
> > talk to keycloak is to use picketlink spfilter because we are not
> > allowed to use keycloak proxy.
> >
> > On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
> > <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>
> <mailto:leonardo.zanivan at gmail.com
> <mailto:leonardo.zanivan at gmail.com>>> wrote:
> >
> > Chen,
> >
> > You could set "principal-attribute" in the adapter config
> > (keycloak.json) as "preferred_username".
> > https://issues.jboss.org/browse/KEYCLOAK-810
> >
> > On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
> > <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
> <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>>
> wrote:
> >
> > Hi,
> >
> > I was using picketlink spfilter for testing and noticed
> > sessionid is assigned to username. We don't have this
> problem in
> > keycloak 1.1.0 beta2 and this issue only
> > appear starting from keycloak 1.1.0 final and in master
> build.
> > Kindly advise.
> >
> > Source :
> >
> > Principal userPrincipal = (Principal)
> > session.getAttribute(GeneralConstants.PRINCIPAL_ID);
> > Welcome to the Employee Tool,
> <b><%=userPrincipal.getName()%></b>.
> >
> > Output :
> >
> > Welcome to the Employee Tool,
> > G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
> >
> >
> > On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
> > <stian at redhat.com <mailto:stian at redhat.com>
> <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
> >
> > Can you please explain what the problem is? That
> issue is an
> > enhancement, not a bug.
> >
> > ----- Original Message -----
> > > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>
> > <mailto:chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>>>
> > > To: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> > > Sent: Tuesday, 31 March, 2015 8:20:26 AM
> > > Subject: [keycloak-user] User ID should be used as
> "user
> > reference" not username
> > >
> > > Hi,
> > >
> > > This issue is happened again in the master build.
> > >
> > > Can advise which object is causing the issue?
> > >
> > > Reference :
> > >
> > > https://issues.jboss.org/browse/KEYCLOAK-284
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> >
> > _________________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> > https://lists.jboss.org/__mailman/listinfo/keycloak-user
> > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list