[keycloak-user] SAML attribute mapping debugging

Jason Axley jaxley at expedia.com
Mon Feb 22 18:23:01 EST 2016


Bump.

I saw someone had a previous question in October about IdP mappings but the thread died without clear resolution.  I didn’t see any general information on enabling DEBUG mode in keycloak to help with troubleshooting.

When I log into the “account” client application via SAML, I’m presented with a screen to enter in my login, email, first name and last name so I can see that none of the values in the SAML assertion are being picked up by the mappers.

-Jason

From: <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Jason Axley <jaxley at expedia.com<mailto:jaxley at expedia.com>>
Date: Thursday, February 18, 2016 at 1:49 PM
To: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: [keycloak-user] SAML attribute mapping debugging

I’ve set up incoming SAML authentication using Microsoft ADFS as the IdP.  However, the attribute mappings I’ve configured are not picking up the data.  A couple things are not clear:

  1.  How can one debug the mappings to find out why they did not find the data?
  2.  Where is the “user model” documented to know which fields are available to map to?  I pulled out some things from existing LDAP mappings but would be nice to know what else is there to map (e.g. AD or other LDAP Groups)

For example, I’ve set up an email mapper that is configured:

Mapper Type:  Attribute Importer
Attribute Name:  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Friendly Name:  emailaddress
User Attribute Name:  email

Doesn’t work…

-Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160222/13a77610/attachment.html 


More information about the keycloak-user mailing list