[keycloak-user] Map SAML Subject NameID to user email

Jared Blashka jblashka at redhat.com
Mon Oct 17 08:46:37 EDT 2016 

No, the saml.persistent name field doesn't need to be a mapper for saml
assertion, it's only a user attribute. So you could add this attribute to
users when they're created or imported or even afterwards with some Admin
API tooling. All that's required on the client end is setting the Name ID
format field to "persistent".

Jared

On Mon, Oct 17, 2016 at 2:25 AM, Niels Bertram <nielsbne at gmail.com> wrote:

> Hi Jared,
>
> setting the Name ID Format does not set the NameID field value to the
> email address of the user model. Whatever I set it to, the only value I can
> see in the SAML response is the realm users username.
>
> Thanks for pointing to the persistent Name ID configuration. Just to
> confirm, to make this work, one will also have to configure a Property
> Mapper in the SAML Client configuration with following details:
>
> Protocol:                  saml
> Name:                      Swap NameID username for email
> Consent                    Required: off
> Mapper Type:               User Attribute
> User Attribute:            email
> Friendly Name:             Email
> SAML Attribute Name:       saml.persistent.name.id.for.$clientId
> SAML Attribute NameFormat: Unspecified
>
>
> Does that look about right?
>
> Thanks,
> Niels
>
>
> On Sat, Oct 15, 2016 at 12:54 AM, Jared Blashka <jblashka at redhat.com>
> wrote:
>
>> Does setting the 'Name ID Format' option to email in the client settings
>> not accomplish what you're looking for? That's supposed to use the user's
>> email address as the NameID.
>> Failing that, I know that if you use the 'persistent' Name ID format you
>> can set an attribute of saml.persistent.name.id.for.$clientId for a user
>> adnd the value of that field gets used as the NameID.
>>
>> Jared
>>
>> On Thu, Oct 13, 2016 at 10:31 PM, Niels Bertram <nielsbne at gmail.com>
>> wrote:
>>
>>> Hi guys,
>>>
>>> I have a requirement to map a user email to the /saml:Subject/saml:NameID
>>> field in a Keycloak SAML client. I can see that someone else is asking
>>> for
>>> the same at
>>> http://stackoverflow.com/questions/39854398/sending-username
>>> -emailid-in-the-saml-req-as-nameid-to-keycloak
>>> without much luck. The mapper only maps attributes while I need to change
>>> the subjects identifier.
>>>
>>> Could anyone help with a thought on how that can be achieved?
>>>
>>> Many thanks,
>>> Niels
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list