(This is a duplicate of User profile is not populated on first login via SAML · keycloak/keycloak · Discussion #29478 · GitHub since I got no response there)
We are setting up a Keycloak to use ADFS(SAML) as an Identity Provider (we actually only need OpenID Connect but couldn’t get greenlight to connect to ADFS directly so are using Keycloak as a broker.)
I set up a new realm and got authentication working just fine. I configured the following mappers of type “Attribute Importer” for the identity provider, which looks straight forward:
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName
None of these attributes show up in the first login registration form:
Username gets populated correctly (probably via Name ID). I used a SAML tracer plugin to verify that the claims are sent back by ADFS correctly and copy-pasted the attribute names from there to the mappers.
I also tried to set Sync mode override to Force - no change.
I’m using a dockerized Keycloak version, currently 24.0.4 (image from quay-dot-io), which I just updated from 20.0.
Any howto (and the documentation) I could find online just mentions these attribute mappers, nothing else to configure anywhere else in Keycloak. But it just doesn’t work.
Where should I look next?
My goal is to just import all required profile fields via SAML.
Thank you for any hints!
Hey,
check in your identity provider configuration if your NameID policy format is matching the issued claim from AD FS.
For me this scenario works fine with “unspecified”
Here are my ADFS Claimrules:
@RuleTemplate = "MapClaims"
@RuleName = "TR E-Mail Address to Name ID"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer
= c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpro
perties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
@RuleTemplate = "LdapClaims"
@RuleName = "LDAP Multivalue"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query =
";mail,givenName,sn;{0}", param = c.Value);
In Keycloak I got 4 matching mappers:
- username (Type=Username Template Importer)
a) Tempalte: ${NAMEID}
b) Target: Local
- lastName (Type=Attribute Importer)
a) Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
b) Name Format: ATTRIBUTE_FORMAT_UNSPECIFIED
c) User Attribute Name: lastName
- firstName (Type=Attribute Importer)
a) Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
b) Name Format: ATTRIBUTE_FORMAT_UNSPECIFIED
c) User Attribute Name: firstName
- email (Type=Attribute Importer)
a) Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
b) Name Format: ATTRIBUTE_FORMAT_UNSPECIFIED
c) User Attribute Name: email
Hi ghost1nA5h3ll,
thank you for your suggestions. NameID is working as expected (username field is filled correctly). I’m using Persistent as NameID format btw, ADFS is configured accordingly.
Changing the Name Format in the attribute importer to ATTRIBUTE_FORMAT_UNSPECIFIED seemed to have done the trick!
By the way: it looks like changes to attribute mappers only get active once you hit save for the Identity Provider itself.
Thank you very much, it’s working now!
Tino.
1 Like
