[keycloak-user] IdentityBroker SAML transient NameID-Format
Václav Muzikář
vmuzikar at redhat.com
Fri Aug 23 07:33:42 EDT 2019
Hello,
sorry for the late reply.
I believe you could use "Username Template Importer" Mapper. You can find
it in the Admin Console --> Identity Providers --> [your SAML IdP] -->
Mappers tab.
V.
On Sat, Aug 17, 2019 at 4:59 PM <keycloak at phoefer.at> wrote:
> Hi,
>
> I'm using Keycloak for IdentityBrokering with an external
> SAML-Identity-Provider
> Unfortunately the external SAML Provider only supports transient NameID
>
> <Subject>
> <NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">vyT0gx7o0uo3MtklFqAXRg1Lmy9HuKZBYB6My5jzU7E=</NameID>
> ...
> </Subject
>
> When I log-in through the external IDP Kecloak generates a local user and
> links it with this (temporaty) Broker-ID.
> If I log-in again later, another different temporary user is generated.
>
> Is there a possibility to
> a) use some SAML-Attributes as brokerID (because they include a "unique"
> ExternalUser-ID) - so only one keycloak account is created for one external
> user
> or b) do not create a internal keycloak user at all
>
> Or maybe you have another good idea for handling the issue without ending
> up with thousands of KC-users ;-)
>
> Thanks for help
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Václav Muzikář
Senior Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
More information about the keycloak-user
mailing list