Open NicolasLiampotis opened 3 years ago
@laskasn We nee to check the following:
I have setup a keycloak instance to serve as SP (let's call it SP). I have also setup another 2 keycloak instances (let's call them IDP1 and IDP2), which serve as idps for the SP.
I have performed the following scenarios:
Scenario A:
Scenario B:
The problem is that the user cannot delete himself (user profile B) in order to recreate it by following the process of scenario A. That's bad.
Regarding the sync mode, if it's at "import", then it will not update the hash on any next logins after the first login.
I created a pluggable hash-id mapper which can be found here: https://github.com/laskasn/keycloak-idp-hashedId-mapper
This first version does not contain any code to process the
This is something which we have to discuss before doing the implementation.
Created also a javascript idp mapper which can be found here: https://github.com/eosc-kc/keycloak/tree/63
Did a pull request on keycloak upstream https://github.com/keycloak/keycloak/pull/7918
And created the corresponding issue https://issues.redhat.com/browse/KEYCLOAK-17685
Add attribute mapper for generating an attribute based on the identifier released by the user's authenticating IdP and the identifier of that authenticating authority.
The generated identifiers should have the following form:
or, if a scope has been specified:
Mapper configuration parameters:
attribute
. A string to use as the name of the newly added attribute. Defaults tosubject-id
.scope
: A string to use as the scope portion of the generated user identifier. There is no default scope value; however, you should consider scoping the generated attribute for creating globally unique identifiers that can be used across infrastructures.skip_authority_list
: Optional, an array of IdP entityIDs that should be excluded from the authority part of the user id source.idp_tag_whitelist
: Optional, an array of tags that the auth process should be executedidp_tag_blacklist
: Optional, an array of tags that the auth process should not be executed