Fix confusing SAML NameId mapper format tooltip

Closes #26051
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
This commit is contained in:
Michal Hajas 2024-01-26 10:33:20 +01:00 committed by Hynek Mlnařík
parent 7558bb8dce
commit de598577b1
3 changed files with 19 additions and 6 deletions

View file

@ -199,4 +199,21 @@ link:{upgradingguide_link}[{upgradingguide_name}].
= Updates to cookies
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency
for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
= SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting `Name ID Format` option to the following values:
- `urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName`
- `urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:entity`
However, Keycloak does not support receiving `AuthnRequest` document with one of these `NameIDPolicy`, therefore these
mappers would never be used. The supported options were updated to only include the following Name ID Formats:
- `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
- `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`

View file

@ -494,7 +494,7 @@ clientTypeHelp='OpenID Connect' allows Clients to verify the identity of the End
addOpenIdProvider=Add OpenID Connect provider
memory=Memory
eventTypes.CLIENT_LOGIN.name=Client login
mapper.nameid.format.tooltip=Name ID Format using Mapper
mapper.nameid.format.tooltip=This mapper is applied only if the NameID format of the incoming AuthnRequest is equal to this value.
hideOnLoginPageHelp=If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
eventTypes.UPDATE_PROFILE.description=Update profile
assignRolesTo=Assign roles to {{client}}

View file

@ -23,10 +23,6 @@ public class NameIdMapperHelper {
List<String> types = new ArrayList<String>();
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_X509SUBJECTNAME.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_WINDOWS_DOMAIN_NAME.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_KERBEROS.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_ENTITY.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get());
property.setType(ProviderConfigProperty.LIST_TYPE);