[keycloak-user] User ID should be used as "user reference" not username

Chen Keong Yap chenkeong.yap at izeno.com
Tue Mar 31 22:56:28 EDT 2015 

hi bill,

i've made the change but principal username still showing random userid.
Kindly advise.

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
<IdentityURL>${idp.url::
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml}</IdentityURL>
<ServiceURL>${EMPLOYEE.url::http://localhost:8080/employee/test.jsp}
</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"
/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT"
Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"
/>
</Handlers>
</PicketLink>


On Wed, Apr 1, 2015 at 8:20 AM, Bill Burke <bburke at redhat.com> wrote:

> In picketlink.xml, set the NAMEID_FORMAT desired i.e.:
>
>         <Handler
>
> class="org.picketlink.identity.federation.web.handlers.saml2.
> SAML2AuthenticationHandler">
>             <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:
> SAML:2.0:nameid-format:persistent"/>
>         </Handler>
>
>
> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>
> For persistent, a user attribute is generated:
>
> saml.persistent.name.id.for.<APPLICATION_NAME> = random UUID
>
>
>
> On 3/31/2015 5:06 PM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> Thanks for the reply. For option 1, how can we make the random userid
>> associated with the keycloak session?
>>
>> For option 2, how can we implement this?
>>
>> Please share your ideas. Thanks
>>
>> On Mar 31, 2015 10:29 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     You need to configure PL SP Filter correctly.  PL SP Filter, by
>> default
>>     asks for the "transient" nameid format which is a temporary randomly
>>     generated userid that is not stored or associated with the Keycloak
>>     session.  Other options include:
>>
>>     persistent - randomly generated, but associated with the application
>>     email
>>     unspecified (which Keycloak will send the username instead).
>>
>>
>>
>>     On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
>>      > Hi leornardo,
>>      >
>>      > My application is running on websphere app server  and the only
>>     way to
>>      > talk to keycloak is to use picketlink spfilter because we are not
>>      > allowed to use keycloak proxy.
>>      >
>>      > On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
>>      > <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>
>>     <mailto:leonardo.zanivan at gmail.com
>>     <mailto:leonardo.zanivan at gmail.com>>> wrote:
>>      >
>>      >     Chen,
>>      >
>>      >     You could set "principal-attribute" in the adapter config
>>      >     (keycloak.json) as "preferred_username".
>>      > https://issues.jboss.org/browse/KEYCLOAK-810
>>      >
>>      >     On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
>>      >     <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>     <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>>
>>     wrote:
>>      >
>>      >         Hi,
>>      >
>>      >         I was using picketlink spfilter for testing and noticed
>>      >         sessionid is assigned to username. We don't have this
>>     problem in
>>      >         keycloak 1.1.0 beta2 and this issue only
>>      >         appear starting from keycloak 1.1.0 final and in master
>>     build.
>>      >         Kindly advise.
>>      >
>>      >         Source :
>>      >
>>      >         Principal userPrincipal = (Principal)
>>      >         session.getAttribute(GeneralConstants.PRINCIPAL_ID);
>>      >         Welcome to the Employee Tool,
>>     <b><%=userPrincipal.getName()%></b>.
>>      >
>>      >         Output :
>>      >
>>      >         Welcome to the Employee Tool,
>>      >         G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>>      >
>>      >
>>      >         On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
>>      >         <stian at redhat.com <mailto:stian at redhat.com>
>>     <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>>      >
>>      >             Can you please explain what the problem is? That
>>     issue is an
>>      >             enhancement, not a bug.
>>      >
>>      >             ----- Original Message -----
>>      >              > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
>>     <mailto:chenkeong.yap at izeno.com>
>>      >             <mailto:chenkeong.yap at izeno.com
>>     <mailto:chenkeong.yap at izeno.com>>>
>>      >              > To: keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >              > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>>      >              > Subject: [keycloak-user] User ID should be used as
>>     "user
>>      >             reference" not       username
>>      >              >
>>      >              > Hi,
>>      >              >
>>      >              > This issue is happened again in the master build.
>>      >              >
>>      >              > Can advise which object is causing the issue?
>>      >              >
>>      >              > Reference :
>>      >              >
>>      >              > https://issues.jboss.org/browse/KEYCLOAK-284
>>      >              >
>>      >              >
>>      >              > _______________________________________________
>>      >              > keycloak-user mailing list
>>      >              > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >              > https://lists.jboss.org/
>> mailman/listinfo/keycloak-user
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >         _________________________________________________
>>      >         keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>      >         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>      >
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/6496ad41/attachment-0001.html

More information about the keycloak-user mailing list