Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.1.0.Final
    • Fix Version/s: 9.0.0
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Seems like Keycloak always uses the saml:NameID to identify a SAML user.
      In org.keycloak.broker.saml.SAMLEndpoint we see:

      BrokeredIdentityContext identity = new BrokeredIdentityContext(subjectNameID.getValue());
      ...
      identity.setUsername(subjectNameID.getValue());

      However this is not a good practice, see recommendations here:
      https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

      SPs MUST NOT require the presence of a <saml:NameID> element and MUST NOT rely on the content of this element for long term identification of subjects; <saml:Attribute> elements MUST be used for this purpose in the manner detailed below.

      Keycloak should provide a field when configuring a SAML Identity Provider to choose the custom attribute (saml:Attribute) to "identify" a user. This can be the 'mail' attribute for example (urn:oid:0.9.2342.19200300.100.1.3).

      Ideally, it should be possible to configure the matching rule (e.g. case-sensitive or case-ignore) to apply to the identifier. For example if the attribute 'mail' is chosen to identify a user, the comparison should be case-ignore: https://tools.ietf.org/html/rfc4524#section-2.16

      See keycloak-dev archive:
      http://lists.jboss.org/pipermail/keycloak-dev/2018-July/011053.html

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hmlnarik Hynek Mlnařík
                  Reporter:
                  ddtxra Daniel Teixeira
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: