10:33 a.m.
Hi All,
I'd like to propose a feature that allows custom authenticators to handle
SAML extensions, authentication context and other request attributes.
Right now in OIDC, all request claims are passed to custom authenticators
which allows for customized behavior depending on the claims.
However, this is not the case for SAML. Only attributes that are explicitly
set (e.g. NameID) in the auth session are passed to custom authenticators.
Information like SAML extension and authentication context are not
available which limits the ability to define custom behaviors. In the past,
we ran into similar limitation and we had to update keycloak core to add
support for NameID attribute.
To solve this, we can have an optional hook that pre-process SAML login
request right before authentication. The hook can then extract the needed
attributes and set it accordingly for custom authenticators to process.
The pre-processing will be done in
*SamlService.BindingProtocol.loginRequest()*:
*public* *class* SamlService *extends* AuthorizationEndpointBase {
*. . .*
*public* *abstract* *class* BindingProtocol {
. . .
*protected* Response loginRequest(String relayState,
AuthnRequestType requestAbstractType, ClientModel client) {
. . .
SamlAuthenticationPreprocessor preProcessor = session
.getProvider(SamlAuthenticationPreprocessor.*class*);
*if* (preProcessor != *null*) {
preProcessor.process(requestAbstractType, authSession);
}
*return* newBrowserAuthentication(authSession,
requestAbstractType.isIsPassive(), redirectToAuthentication);
}
Let me know what you think. Thanks.
Best regards,
Gideon
1:58 a.m.
Hi Gideon,
thanks for the idea. Something like that would be a useful enhancement. The
implementation would need to cover also the broker endpoint, other SAML
message types (extensions are part of message types other than AuthnRequest
as well), and count on several implementations of the hypothetical
SamlAuthenticationPreprocessor. Could you please file an "Enhancement" JIRA?
--Hynek
On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray(a)gmail.com> wrote:
Hi All,
I'd like to propose a feature that allows custom authenticators to handle
SAML extensions, authentication context and other request attributes.
Right now in OIDC, all request claims are passed to custom authenticators
which allows for customized behavior depending on the claims.
However, this is not the case for SAML. Only attributes that are explicitly
set (e.g. NameID) in the auth session are passed to custom authenticators.
Information like SAML extension and authentication context are not
available which limits the ability to define custom behaviors. In the past,
we ran into similar limitation and we had to update keycloak core to add
support for NameID attribute.
To solve this, we can have an optional hook that pre-process SAML login
request right before authentication. The hook can then extract the needed
attributes and set it accordingly for custom authenticators to process.
The pre-processing will be done in
*SamlService.BindingProtocol.loginRequest()*:
*public* *class* SamlService *extends* AuthorizationEndpointBase {
*. . .*
*public* *abstract* *class* BindingProtocol {
. . .
*protected* Response loginRequest(String relayState,
AuthnRequestType requestAbstractType, ClientModel client) {
. . .
SamlAuthenticationPreprocessor preProcessor = session
.getProvider(SamlAuthenticationPreprocessor.*class*);
*if* (preProcessor != *null*) {
preProcessor.process(requestAbstractType, authSession);
}
*return* newBrowserAuthentication(authSession,
requestAbstractType.isIsPassive(), redirectToAuthentication);
}
Let me know what you think. Thanks.
Best regards,
Gideon
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2164
days inactive
2172
days old
1 comments
2 participants
participants (2)
-
Gideon Caranzo -
Hynek Mlnarik