keycloak-scim/server_admin/topics/clients/protocol-mappers.adoc

54 lines
2.8 KiB
Text
Raw Normal View History

2016-05-27 15:23:34 +00:00
[[_protocol-mappers]]
2016-05-20 20:52:41 +00:00
2016-05-24 18:16:54 +00:00
=== OIDC Token and SAML Assertion Mappings
2016-04-18 15:15:25 +00:00
Applications that receive ID Tokens, Access Tokens, or SAML assertions may need or want different user metadata and roles.
2017-08-28 12:50:14 +00:00
{project_name} allows you to define what exactly is transferred.
2016-04-18 15:15:25 +00:00
You can hardcode roles, claims and custom attributes.
You can pull user metadata into a token or assertion.
You can rename roles.
2016-05-20 00:15:52 +00:00
Basically you have a lot of control of what exactly goes back to the client.
2016-04-18 15:15:25 +00:00
2016-05-24 18:16:54 +00:00
Within the Admin Console, if you go to an application you've registered, you'll see a `Mappers` tab. Here's one for
an OIDC based client.
.Mappers Tab
2017-08-28 12:50:14 +00:00
image:{project_images}/mappers-oidc.png[]
2016-05-24 18:16:54 +00:00
The new client does not have any built-in mappers, however it usually inherits some mappers from the client scopes as described
in the <<_client_scopes, client scopes section>>. Protocol mappers map things like, for example, email address to
2016-06-03 13:12:04 +00:00
a specific claim in the identity and access token. Their function should each be self explanatory from their name. There
are additional pre-configured mappers that are not attached to the client that you can add
2016-05-24 18:16:54 +00:00
by clicking the `Add Builtin` button.
2016-06-03 13:12:04 +00:00
Each mapper has common settings as well as additional ones depending on which type of mapper you are adding. Click the `Edit` button
2016-05-24 18:16:54 +00:00
next to one of the mappers in the list to get to the config screen.
.Mapper Config
2017-08-28 12:50:14 +00:00
image:{project_images}/mapper-config.png[]
2016-05-24 18:16:54 +00:00
The best way to learn about a config option is to hover over its tooltip.
2016-05-24 18:16:54 +00:00
Most OIDC mappers also allow you to control where the claim gets put. You can opt to include or exclude the claim from both the
_id_ and _access_ tokens by fiddling with the `Add to ID token` and `Add to access token` switches.
2016-06-03 13:12:04 +00:00
Finally, you can also add other mapper types. If you go back to the `Mappers` tab, click the `Create` button.
2016-05-24 18:16:54 +00:00
.Add Mapper
2017-08-28 12:50:14 +00:00
image:{project_images}/add-mapper.png[]
2016-05-24 18:16:54 +00:00
Pick a `Mapper Type` from the list box. If you hover over the tooltip, you'll see a description of what that mapper type does.
Different config parameters will appear for different mapper types.
==== Priority order
Mapper implementations have _priority order_. This priority order is not the configuration property of the mapper; rather, it is
the property of the concrete implementation of the mapper.
Mappers are sorted in the admin console by the order in the list of mappers and the changes in the token or assertion will be
applied using that order with the lowest being applied first. This means that implementations which are dependent on other
implementations are processed in the needed order.
For example, when we first want to compute the roles which will be included with a token, we first resolve audiences based on
those roles. Then, we process a JavaScript script that uses the roles and audiences already available in the token.