[keycloak-dev] passing SAML extensions and context to custom authenticators

Hynek Mlnarik hmlnarik at redhat.com
Thu Jan 24 02:58:07 EST 2019 

Hi Gideon,

thanks for the idea. Something like that would be a useful enhancement. The
implementation would need to cover also the broker endpoint, other SAML
message types (extensions are part of message types other than AuthnRequest
as well), and count on several implementations of the hypothetical
SamlAuthenticationPreprocessor. Could you please file an "Enhancement" JIRA?

--Hynek

On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray at gmail.com> wrote:

> Hi All,
>
> I'd like to propose a feature that allows custom authenticators to handle
> SAML extensions, authentication context and other request attributes.
>
> Right now in OIDC, all request claims are passed to custom authenticators
> which allows for customized behavior depending on the claims.
> However, this is not the case for SAML. Only attributes that are explicitly
> set (e.g. NameID) in the auth session are passed to custom authenticators.
>
> Information like SAML extension and authentication context are not
> available which limits the ability to define custom behaviors. In the past,
> we ran into similar limitation and we had to update keycloak core to add
> support for NameID attribute.
>
> To solve this, we can have an optional hook that pre-process SAML login
> request right before authentication. The hook can then extract the needed
> attributes and set it accordingly for custom authenticators to process.
>
> The pre-processing will be done in
> *SamlService.BindingProtocol.loginRequest()*:
>
> *public* *class* SamlService *extends* AuthorizationEndpointBase {
>
>     *. . .*
>
>     *public* *abstract* *class* BindingProtocol {
>
>         . . .
>
>         *protected* Response loginRequest(String relayState,
> AuthnRequestType requestAbstractType, ClientModel client) {
>
>             . . .
>
>             SamlAuthenticationPreprocessor preProcessor = session
> .getProvider(SamlAuthenticationPreprocessor.*class*);
>
>             *if* (preProcessor != *null*) {
>
>               preProcessor.process(requestAbstractType, authSession);
>
>             }
>
>
>
>             *return* newBrowserAuthentication(authSession,
> requestAbstractType.isIsPassive(), redirectToAuthentication);
>
>        }
>
>
> Let me know what you think. Thanks.
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list