[keycloak-user] SAML Custom Attribute NameID
Adam Keily
adam.keily at adelaide.edu.au
Thu Mar 2 17:16:23 EST 2017
Thanks Muein. I’ll investigate using the custom mapper as you describe. Much appreciated.
Adam
From: shmuein at gmail.com [mailto:shmuein at gmail.com] On Behalf Of Muein Muzamil
Sent: Friday, 3 March 2017 2:12 AM
To: Adam Keily <adam.keily at adelaide.edu.au>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] SAML Custom Attribute NameID
Hi,
Currently, KeyCloak doesn't support this feature. We end up implementing a custom protocol mapper to support this feature. It is something like this.
public class SAMLLoginResponseMapperExtension extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
...................
public ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel,
KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) {
// if the attributeName is configured, read the value from the user
// model
String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE);
if (StringUtils.isNotBlank(attributeName)) {
UserModel user = userSession.getUser();
if (StringUtils.indexOfAny(attributeName, new String[] { "firstName", "lastName", "username" }) != -1) {
attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName);
} else {
attributeValue = KeycloakModelUtils.resolveFirstAttribute(user, attributeName);
}
}
for (RTChoiceType rtChoiceType : response.getAssertions()) {
NameIDType nameIDType = (NameIDType) rtChoiceType.getAssertion().getSubject().getSubType().getBaseID();
nameIDType.setValue(attributeValue);
}
return response;
}
..................
}
Regards,
Muein
On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily <adam.keily at adelaide.edu.au<mailto:adam.keily at adelaide.edu.au>> wrote:
Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a SAML2 client? The format will be username but I want to use a custom attribute and not the username of the user.
I've tried various mapping configurations but they just get sent as attributes alongside the subject nameid.
Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list