[keycloak-dev] passing SAML extensions and context to custom authenticators

Hi All, I'd like to propose a feature that allows custom authenticators to handle SAML extensions, authentication context and other request attributes. Right now in OIDC, all request claims are passed to custom authenticators which allows for customized behavior depending on the claims. However, this is not the case for SAML. Only attributes that are explicitly set (e.g. NameID) in the auth session are passed to custom authenticators. Information like SAML extension and authentication context are not available which limits the ability to define custom behaviors. In the past, we ran into similar limitation and we had to update keycloak core to add support for NameID attribute. To solve this, we can have an optional hook that pre-process SAML login request right before authentication. The hook can then extract the needed attributes and set it accordingly for custom authenticators to process. The pre-processing will be done in *SamlService.BindingProtocol.loginRequest()*: *public* *class* SamlService *extends* AuthorizationEndpointBase { *. . .* *public* *abstract* *class* BindingProtocol { . . . *protected* Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { . . . SamlAuthenticationPreprocessor preProcessor = session .getProvider(SamlAuthenticationPreprocessor.*class*); *if* (preProcessor != *null*) { preProcessor.process(requestAbstractType, authSession); } *return* newBrowserAuthentication(authSession, requestAbstractType.isIsPassive(), redirectToAuthentication); } Let me know what you think. Thanks. Best regards, Gideon