[keycloak-user] IdentityBroker SAML transient NameID-Format
keycloak at phoefer.at
keycloak at phoefer.at
Sat Aug 17 10:49:32 EDT 2019
Hi,
I'm using Keycloak for IdentityBrokering with an external SAML-Identity-Provider
Unfortunately the external SAML Provider only supports transient NameID
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">vyT0gx7o0uo3MtklFqAXRg1Lmy9HuKZBYB6My5jzU7E=</NameID>
...
</Subject
When I log-in through the external IDP Kecloak generates a local user and links it with this (temporaty) Broker-ID.
If I log-in again later, another different temporary user is generated.
Is there a possibility to
a) use some SAML-Attributes as brokerID (because they include a "unique" ExternalUser-ID) - so only one keycloak account is created for one external user
or b) do not create a internal keycloak user at all
Or maybe you have another good idea for handling the issue without ending up with thousands of KC-users ;-)
Thanks for help
More information about the keycloak-user
mailing list