Hi Roland,
my apologies for late reply.
The aim is to keep AuthenticationSession small for performance reasons. I
understand that for your use case you need to store that data inside the
AuthSession. I'd be reluctant to unconditionally include the AuthnContext /
SAML Extensions into the AuthenticationSession because both the
performance, and I also suspect that this unconditional inclusion of
potentially huge data could be also exploited in attack with specially
crafted SAML message. Yet I wonder whether you would like to do that
conditionally?
There is a community request to add support for SAML document preprocessing
in [1]. Perhaps this could be the way to achieve your goal - to hook into
such a mechanism and store whatever needs to be stored in the
authentication session in a custom handler. Would that work for you?
--Hynek
[1]
https://issues.jboss.org/browse/KEYCLOAK-9936
On Mon, Jun 24, 2019 at 7:57 AM Roland <contributing.to.keycloak(a)gmail.com>
wrote:
Any remarks on this? Did anyone get the chance to take a look?
Stian?
Thanks!
Roland
---------- Forwarded message ---------
Von: Roland <contributing.to.keycloak(a)gmail.com>
Date: Mi., 19. Juni 2019 um 14:04 Uhr
Subject: Add SAML Extensions (and AuthContext) as another client note to
the AuthenticationSessionModel in SamlService
To: <keycloak-dev(a)lists.jboss.org>
Hello,
when a SAML Request is received in Keycloak, the method loginRequest in
abstract class BindingProtocol in class
org.keycloak.protocol.samlSamlService puts the information from the request
into the AuthenticationSessionModel in this section of code:
authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
authSession.setRedirectUri(redirect);
authSession.setAction(
AuthenticationSessionModel.Action.AUTHENTICATE.name());
authSession.setClientNote(SamlProtocol.SAML_BINDING,
bindingType);
authSession.setClientNote(GeneralConstants.RELAY_STATE,
relayState);
authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID,
requestAbstractType.getID());
What we are missing here is the SAML Extensions, which happen to be in the
SAML Request which we receive, and which we want to pass on to a brokered
external Identity Provider.
For example something like this:
ExtensionsType et = requestAbstractType.getExtensions();
List<Object> list = et.getAny();
<create some kind of String representation>
authSession.setAuthNote("SAML_EXTENSION", <the String
representation>);
In the same way we would also like access to the AuthContext through the
authSession.
I would offer to contribute this if the community approves the idea.
Thanks and Regards,
Roland
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev