[keycloak-user] Using email attribute in SAML identity brokering

[Moshe Ben-Shoham]

Hi Hynek,

Thanks for your response, it did take us a step forward, but I still struggle with this a bit.

I defined the Template Importer Mapper as you suggested, but I can only make the login work if the user in KeyCloak is pre-linked to the IdP, with “Provider User ID” that has the value of the SAML_SUBJECT and “Provider username” has the value of the email address. What I really want is to avoid configuration of KeyCloak with the IdP SAML_SUBJECT at all and just use the email attribute for everything.

Is this possible?

Thanks,
Moshe.


[http://www.perfectomobile.com/sites/all/themes/perfecto/img/perfecto_email_logo.jpg]<http://www.perfectomobile.com/>

Moshe Ben-Shoham
R&D Director, System Architecture
Phone: +972-3-9260-137
Mobile: +972 54 4324480
Email: mosheb at perfectomobile.com



From: Hynek Mlnarik <hmlnarik at redhat.com>
Date: Tuesday, 10 January 2017 at 14:11
To: Moshe Ben-Shoham <mosheb at perfectomobile.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Using email attribute in SAML identity brokering

Use Username Template Importer mapper, configured in the identity provider mappers with template ${ATTRIBUTE.attribute-name} (adjust the attribute-name appropriately).

--Hynek

On Tue, Jan 10, 2017 at 11:21 AM, Moshe Ben-Shoham <mosheb at perfectomobile.com<mailto:mosheb at perfectomobile.com>> wrote:
Hi,

We have a few clients integrated with Keycloak relam, using email address as the user identifier.

Now we wish to integrate KeyCloak with external IdP using its identity brokering capabilities based on SAML. The problem is, the user identifier in the external IdP is not the email address but some other username. We are able to get the email as an attribute in the SAML assertion coming into KeyCloak, but the missing part is mapping the email attribute to the user identifier in KeyCloak - how do we do that?

Thanks!
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Cmosheb%40perfectomobile.com%7C502b00e8bd9545c51e0808d43951e559%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=mAVd%2FBGr1A9yffVDnTosgPRfo6NzkwrrHQ%2BHLxfS2cg%3D&reserved=0>



--

--Hynek
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.