[keycloak-user] Keycloak SAML IdP and URL parameter

Dmitry Telegin dt at acutus.pro
Tue Nov 20 07:04:43 EST 2018


Hello Sud,

On Mon, 2018-11-19 at 15:55 -0500, Sud Ramasamy wrote:
> Thanks. This is a handy little tip to use the JS Authenticators.
> 
> We found another way accomplish this using a JAX-RS feature to parse the custom URL parameter out in the first request and stuff it into the context where we could retrieve it from in the second request processing flow. Please let me know if for any reason this is approach is discouraged.

In fact I was thinking about something similar, but with servlet filter rather than JAX-RS feature. Your solution seems even better. Do you register a JAX-RS interceptor on SamlService endpoint and push the extracted parameter into a session context?

Dmitry

> 
> Regards
> -sud
> 
> 
> 
> 
> > On November 19, 2018 at 2:52:05 PM, Dmitry Telegin (dt at acutus.pro) wrote:
> 
> Hello Sud,  
> 
> Please check out this thread:  
> http://lists.jboss.org/pipermail/keycloak-user/2018-November/016228.html  
> 
> The problem under discussion is almost identical to yours, with the only exception being OIDC instead of SAML. But I believe the general principle (fishing request parameters out of the Referer header) remains the same.  
> 
> Another question: is it possible to use SAML RelayState to pass the same parameter? Custom authenticators have direct access to that field via client session note with the same name ("RelayState"), which could let you avoid the hacks like above.  
> 
> Cheers,  
> Dmitry Telegin  
> CTO, Acutus s.r.o.  
> Keycloak Consulting and Training  
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic  
> +42 (022) 888-30-71  
> > E-mail: info at acutus.pro  
> 
> On Fri, 2018-11-16 at 09:47 -0500, Sud Ramasamy wrote:  
> > Hi,  
> >  
> > We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.   
> >  
> > We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator.  
> >  
> > Thanks in advance for your help.  
> >  
> > Regards  
> > -sud   
> > _______________________________________________  
> > keycloak-user mailing list  
> > keycloak-user at lists.jboss.org  
> > https://lists.jboss.org/mailman/listinfo/keycloak-user  
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list