keycloak-scim/server_admin/topics/clients/protocol-mappers.adoc

[[_protocol-mappers]]

=== OIDC Token and SAML Assertion Mappings

Applications that receive ID Tokens, Access Tokens, or SAML assertions may need or want different user metadata and roles.
{project_name} allows you to define what exactly is transferred.
You can hardcode roles, claims and custom attributes.
You can pull user metadata into a token or assertion.
You can rename roles.
Basically you have a lot of control of what exactly goes back to the client.

Within the Admin Console, if you go to an application you've registered, you'll see a `Mappers` tab.  Here's one for
an OIDC based client.

.Mappers Tab
image:{project_images}/mappers-oidc.png[]

The new client does not have any built-in mappers, however it usually inherits some mappers from the client scopes as described
in the <<_client_scopes, client scopes section>>. Protocol mappers map things like, for example, email address to
a specific claim in the identity and access token.  Their function should each be self explanatory from their name.  There
are additional pre-configured mappers that are not attached to the client that you can add
by clicking the `Add Builtin` button.

Each mapper has common settings as well as additional ones depending on which type of mapper you are adding.  Click the `Edit` button
next to one of the mappers in the list to get to the config screen.

.Mapper Config
image:{project_images}/mapper-config.png[]

The best way to learn about a config option is to hover over its tooltip.

Most OIDC mappers also allow you to control where the claim gets put.  You can opt to include or exclude the claim from both the
_id_ and _access_ tokens by fiddling with the `Add to ID token` and `Add to access token` switches.

Finally, you can also add other mapper types.  If you go back to the `Mappers` tab, click the `Create` button.

.Add Mapper
image:{project_images}/add-mapper.png[]

Pick a `Mapper Type` from the list box.  If you hover over the tooltip, you'll see a description of what that mapper type does.
Different config parameters will appear for different mapper types.
broker 2016-05-27 15:23:34 +00:00			`[[_protocol-mappers]]`
more clients 2016-05-20 20:52:41 +00:00
mappers 2016-05-24 18:16:54 +00:00			`=== OIDC Token and SAML Assertion Mappings`
add 2016-04-18 15:15:25 +00:00
			`Applications that receive ID Tokens, Access Tokens, or SAML assertions may need or want different user metadata and roles.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} allows you to define what exactly is transferred.`
add 2016-04-18 15:15:25 +00:00			`You can hardcode roles, claims and custom attributes.`
			`You can pull user metadata into a token or assertion.`
			`You can rename roles.`
clints 2016-05-20 00:15:52 +00:00			`Basically you have a lot of control of what exactly goes back to the client.`
add 2016-04-18 15:15:25 +00:00
mappers 2016-05-24 18:16:54 +00:00			Within the Admin Console, if you go to an application you've registered, you'll see a `Mappers` tab. Here's one for
			`an OIDC based client.`

			`.Mappers Tab`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/mappers-oidc.png[]`
mappers 2016-05-24 18:16:54 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`The new client does not have any built-in mappers, however it usually inherits some mappers from the client scopes as described`
			`in the <<_client_scopes, client scopes section>>. Protocol mappers map things like, for example, email address to`
Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			`a specific claim in the identity and access token. Their function should each be self explanatory from their name. There`
			`are additional pre-configured mappers that are not attached to the client that you can add`
mappers 2016-05-24 18:16:54 +00:00			by clicking the `Add Builtin` button.

Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			Each mapper has common settings as well as additional ones depending on which type of mapper you are adding. Click the `Edit` button
mappers 2016-05-24 18:16:54 +00:00			`next to one of the mappers in the list to get to the config screen.`

			`.Mapper Config`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/mapper-config.png[]`
mappers 2016-05-24 18:16:54 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`The best way to learn about a config option is to hover over its tooltip.`
mappers 2016-05-24 18:16:54 +00:00
			`Most OIDC mappers also allow you to control where the claim gets put. You can opt to include or exclude the claim from both the`
			_id_ and _access_ tokens by fiddling with the `Add to ID token` and `Add to access token` switches.

Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			Finally, you can also add other mapper types. If you go back to the `Mappers` tab, click the `Create` button.
mappers 2016-05-24 18:16:54 +00:00
			`.Add Mapper`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/add-mapper.png[]`
mappers 2016-05-24 18:16:54 +00:00
			Pick a `Mapper Type` from the list box. If you hover over the tooltip, you'll see a description of what that mapper type does.
			`Different config parameters will appear for different mapper types.`