libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Fix confusing SAML NameId mapper format tooltip

Browse source 
Closes #26051
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
This commit is contained in:
Michal Hajas 2024-01-26 10:33:20 +01:00 committed by Hynek Mlnařík
parent 7558bb8dce
commit de598577b1
3 changed files with 19 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/documentation/release_notes/topics/24_0_0.adoc
View file

@ -200,3 +200,20 @@ link:{upgradingguide_link}[{upgradingguide_name}].
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency
for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
= SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting `Name ID Format` option to the following values:
- `urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName`
- `urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:entity`
However, Keycloak does not support receiving `AuthnRequest` document with one of these `NameIDPolicy`, therefore these
mappers would never be used. The supported options were updated to only include the following Name ID Formats:
- `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
- `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
- `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`

2
js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
View file

@ -494,7 +494,7 @@ clientTypeHelp='OpenID Connect' allows Clients to verify the identity of the End
addOpenIdProvider=Add OpenID Connect provider
memory=Memory
eventTypes.CLIENT_LOGIN.name=Client login
mapper.nameid.format.tooltip=Name ID Format using Mapper
mapper.nameid.format.tooltip=This mapper is applied only if the NameID format of the incoming AuthnRequest is equal to this value.
hideOnLoginPageHelp=If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
eventTypes.UPDATE_PROFILE.description=Update profile
assignRolesTo=Assign roles to {{client}}

4
services/src/main/java/org/keycloak/protocol/saml/mappers/NameIdMapperHelper.java
View file

@ -23,10 +23,6 @@ public class NameIdMapperHelper {
List<String> types = new ArrayList<String>();
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_X509SUBJECTNAME.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_WINDOWS_DOMAIN_NAME.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_KERBEROS.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_ENTITY.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
types.add(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get());
property.setType(ProviderConfigProperty.LIST_TYPE);