[keycloak-dev] passing SAML extensions and context to custom authenticators

[Gideon Caranzo]

Hi All,

I'd like to propose a feature that allows custom authenticators to handle
SAML extensions, authentication context and other request attributes.

Right now in OIDC, all request claims are passed to custom authenticators
which allows for customized behavior depending on the claims.
However, this is not the case for SAML. Only attributes that are explicitly
set (e.g. NameID) in the auth session are passed to custom authenticators.

Information like SAML extension and authentication context are not
available which limits the ability to define custom behaviors. In the past,
we ran into similar limitation and we had to update keycloak core to add
support for NameID attribute.

To solve this, we can have an optional hook that pre-process SAML login
request right before authentication. The hook can then extract the needed
attributes and set it accordingly for custom authenticators to process.

The pre-processing will be done in
*SamlService.BindingProtocol.loginRequest()*:

*public* *class* SamlService *extends* AuthorizationEndpointBase {

    *. . .*

    *public* *abstract* *class* BindingProtocol {

        . . .

        *protected* Response loginRequest(String relayState,
AuthnRequestType requestAbstractType, ClientModel client) {

            . . .

            SamlAuthenticationPreprocessor preProcessor = session
.getProvider(SamlAuthenticationPreprocessor.*class*);

            *if* (preProcessor != *null*) {

              preProcessor.process(requestAbstractType, authSession);

            }



            *return* newBrowserAuthentication(authSession,
requestAbstractType.isIsPassive(), redirectToAuthentication);

       }


Let me know what you think. Thanks.

Best regards,
Gideon