[keycloak-user] SAML Identity Provider Name ID format(s), which one too choose?

Tue Jul 10 10:24:04 EDT 2018

Dear community,

I am trying to configure SAML Identity Providers (for Universities) but I
don't know which NameID Policy Format to choose. In my scenario, the
University users must be linked to LDAP User Federation, users should be
able to login in applications in both ways (either with LDAP or University
credentials).

I have tried the following configuration for the SAML Identity Provider:
Persistent, email and unspecified. And here are the problems I get:

*Persistent*: Works "Ok" but I have 2 issues with it:
1) Logout does not work well, because apparently keycloak does not send
NameQualifier and SPNameQualifier in LogoutRequest, more information in
here: https://issues.shibboleth.net/jira/browse/IDP-1297

2) The persistent nameID may not be "so persistent" in my case, because the
iDP takes the domain where keycloak runs, to make the persistent nameID and
therefore if I change the hostname of my keycloak instance, things may
break in the future. Moreover it does not help with test / dev environments
where the hostname is different (but this is not a problem of keycloak I
assume)...

*unspecified: *I tried unspecified (which, correct me if I am wrong, but
maybe it corresponds to the transient nameID?). In this case, the problem
is that it works the first time, but the second time, since it generates a
new ID, keycloak sees a user with already the same email, or if the user is
not there, it creates a new user everytime....
I have tried to create a mapper in the iDP mappers (Preprocessor Username
Template Importer), but this didn't fix the problem. (In the Provider User
ID and Provider Username) he always takes the random/transient? nameID and
for me this use case, Provider User ID and Provider Username should not
change.

*email: *I have tried to use email, but I get a non-informative error: "An
error occurred." and if I go look at the logs in DEBUG mode I don't see
very much valuable information:

15:32:34,996 DEBUG [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) Authorization code is valid.
15:32:34,997 WARN  [org.keycloak.events] (default task-31)
type=FEDERATED_IDENTITY_LINK_ERROR, realmId=******, clientId=account,
userId=******, ipAddress=******, error=An error occurred.,
code_id=bc92ef2d-5a0c-458c-a3a8-40c91ec13140, username=*****
15:32:34,998 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) An error occurred.
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper  commit
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper end

Can someone point me in the light side of the force :) ?

Thank you very much in advance,
Daniel Teixeira