[keycloak-user] simplesamlphp attribute is expected but missing

Hynek Mlnarik hmlnarik at redhat.com
Mon Oct 9 08:43:38 EDT 2017

Most likely you need to set up attribute mapper for the SAML client
(Wordpress) in Keycloak [1]. That mapper would map the (Keycloak's) user
e-mail into SAML attribute named "mail".

If that does not help, check the contents SAML response via SAML Tracer or
similar tool.



On Mon, Oct 9, 2017 at 2:14 PM, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:

> Hello,
> I'm trying to authenticate Wordpress users with the help of the
> wp-saml-auth
> plugin <https://wordpress.org/plugins/wp-saml-auth/> and the simplesamlphp
> library. <https://simplesamlphp.org/> I'm not sure if this is an issue on
> the Keycloak side or on the PHP side, hopefully someone can point me in the
> right direction.
> The redirect from the Wordpress login page to Keycloak is going fine, so I
> login on the Keycloak page, but after the redirect back to Wordpress, I'm
> getting this error:
> "mail" attribute is expected, but missing, in SAML response. Attribute is
> used to fetch existing user by "email". Please contact your administrator.
> The user has an emailaddress and is coming from an AD federation. There is
> a a user-attribute-ldap-mapper is setup that maps the User Model Attribute
> 'email' to LDAP attribute 'mail'. I tried setting up a User Property mapper
> in the client that maps the property 'email' to SAML Attribute name 'email'
> (also tested with 'mail'), but it didn't make a difference in the error
> message.
> What am I missing? Does the application need to request the SAML-attributes
> explicitly? Is there a way to intercept the SAML-response in the browser?
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list