libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-13950 SAML2 Identity Provider - Send Subject in SAML requests

Browse source
This commit is contained in:
Lorent Lempereur 2020-07-24 21:42:12 +02:00 committed by GitHub
parent e23020eb3f
commit 1b37a849bc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
server_admin/topics/identity-broker/saml.adoc
View file

@ -64,6 +64,9 @@ You must define the SAML configuration options as well. They basically describe
|Validating X509 Certificate
|The public certificate that will be used to validate the signatures of SAML requests and responses from the external IDP.
|Pass subject
|Whether or not a `login_hint` query parameter should be forwarded to the IDP. When provided, this login_hint parameter is added to AuthnRequest's Subject. This allows destination providers to prefill their login form. When no login_hint is provided, nothing is forwarded as an AuthnRequest Subject.
|===
@ -87,4 +90,16 @@ This metadata is also available publicly by going to the URL.
http[s]://{host:port}/auth/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor
----
[[_identity_broker_saml_login_hint]]
==== Send Subject in SAML requests
By default, a social button pointing to a SAML Identity Provider redirects the user to a login URL:
[source]
----
http[s]://{host:port}/auth/realms/${realm-name}/broker/{broker-alias}/login
----
Adding a query parameter named `login_hint` to this URL will add its value to SAML request as a Subject attribute. When this query parameter is absent or left empty, no subject will be added to the request.
"Pass subject" option must be enabled.