SAML login with custom UserStorageProvider - Error on login - ReadOnlyException: user is read only for this update

[10101010101010001]

Hi. Thanks to @dasniko, Bill Burke, countless others, I'm closer than before to having a working UserStorageProvider for authenticating users an external database. I took some code from keycloak-quickstart user-storage-jpa and user-storage project here to get the code working.

I'm trying to authenticate via SAML. When I try to login using this custom UserStorageProvider I am getting an error when setting an attribute, saml.persistent.name.id.for.<client_id> which I read should be read-only.

Partial Stack:
2022-12-19 14:47:07,199 WARN [org.keycloak.services] (executor-thread-3) KC-SERVICES0013: Failed authentication: org.keycloak.storage.ReadOnlyException: user is read only for this update at org.keycloak.storage.adapter.AbstractUserAdapter.setSingleAttribute(AbstractUserAdapter.java:313)

However when I tried to add this attribute with a random UUID, like shown below, I get forbidden when I successfully have logged in.

attributes.add("saml.persistent.name.id.for." + this.session.getContext().getClient().getBaseUrl(), "G-" + java.util.UUID.randomUUID().toString());

How can I fix this?

Please help, thank you, happy holidays.

[10101010101010001]

I see, I can't use this.session.getContext().getClient().getBaseUrl() when adding the attribute. I figured this out when I tried to view a user in keycloak I get a nullpointerexception because there is no client at this time.

I was able to authenticate to the service after I hardcoded the client_id, forbidden issue resolved. I would hardcode the client_id however I have hundreds of apps and when I try to authenticate to my other apps I get Failed authentication: org.keycloak.storage.ReadOnlyException: user is read only for this update.

Do I need to "extends AbstractSAMLProtocolMapper implements SAMLAttributeStatementMapper" to get my saml.persistence.name.id to be dynamic based on the client_id from KeycloakSession or is there a better way I could do this?

Thank you.

[10101010101010001]

Adding the transformAttributeStatement and setting the saml.persistence.name.id.for resulted in the same error as before, ReadOnlyException. I also tried setting saml.persistent.name.id.for.https://domain/*/ where * is the webapp name which also didn't work. Thanks.

[10101010101010001]

I figured it out. Everything works great. Thanks.

    try {
        if (this.session.getContext() != null)
          if (this.session.getContext().getClient() != null)
            if (this.session.getContext().getClient().getBaseUrl() != null)
              attributes.add("saml.persistent.name.id.for." + this.session.getContext().getClient().getBaseUrl(), "G-" + java.util.UUID.randomUUID().toString());
    } catch (java.lang.NullPointerException n){
        logger.debugf("NullPointerException Occured: {}", n);
    }

[dasniko]

The ReadOnlyException occurs, because the implementation of the UserAdapter is a read-only impl. If you need a different behavior, you'll need to extend another abstract class or implement everything on your own.