Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-16918

Set custom user attribute to Name ID Format for a SAML client

    XMLWordPrintable

Details

    • Enhancement
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 13.0.0
    • RH-SSO, SAML
    • None
    • NEW
    • NEW
    • ---
    • ---

    Description

      There is no existing way in Keycloak to set custom user attribute to Name ID Format, currently it only supports below Name ID Formats as per SAML specification :

      unspecified

      emailAddress

      persistent

      transient

      1) Default behavior
      --------------------------------------
      By default, when nothing is specified, the nameID returned in the subject corresponds to the username used to authenticate against Keycloak.

      Example
      (Saml traces obtained from the saml keycloak example).
      https://github.com/keycloak/keycloak/tree/master/examples/saml

      bburke is the username of one of the registered users.

      The SAML XML exchange will provide SAML traces like this:
      <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      >bburke</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="ID_43a3efa3-35c8-4b00-92f7-90914272d7a4"
      NotOnOrAfter="2020-02-28T13:41:26.090Z"
      Recipient="http://localhost:8080/employee-sig/saml"
      />
      </saml:SubjectConfirmation>
      </saml:Subject>

      2) Using another attribute in the SAML response as subject
      ---------------------------------------------------------------------------------
      The requirement is to generate a SAML response which contains another attribute as subject in the nameID.

      Example
      username: bburke
      attribute: user_email: bburke@foo.com

      The expectation is to have in the SAML response no longer bburke, but something such as
      bburke@foo.com used NamedID in the SAML response after authentication against RH-SSO.

      <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      >bburke@foo.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="ID_43a3efa3-35c8-4b00-92f7-90914272d7a4"
      NotOnOrAfter="2020-02-28T13:41:26.090Z"
      Recipient="http://localhost:8080/employee-sig/saml"
      />
      </saml:SubjectConfirmation>
      </saml:Subject>

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-sshriram Saurabh Shriramwar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: