[keycloak-user] Configuring unique user identifiers
Paolo Tedesco
Paolo.Tedesco at cern.ch
Tue Jun 11 05:00:11 EDT 2019
Hi all,
I'm trying to setup Keycloak as the Single Sign-On service at CERN, to replace our current service based on ADFS.
I would like to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes.
My problem is that, in our environment, we allow users to change their email address, and also to use an external (non-CERN) address as their mail, and we saw that a user changing mail can lead to problems with Keycloak.
We tried using logins instead of emails as unique identifiers, but that creates possible clashes as well, as we don't have control over external IDPs logins.
We want to avoid that in case of these clashes the external IDP user is prompted to join their account to one of our accounts.
We thought that, to avoid this kind of clashes, we could add a postfix to the login, so that for example my CERN account could be identified as "ptedesco at cern.ch", without clashing with "ptedesco at github.com", but we couldn't find a way to do this, especially for Github or other social providers.
Is there a way to customize the unique user identifiers in Keycloak, either though configuration, or by coding some extension?
Thanks,
Paolo Tedesco
More information about the keycloak-user
mailing list