7:45 a.m.
We have a requirement to receive Username/EmailId in the Subject/NameID
field of SAML Request. Keycloak then receive that value in a custom
authenticator
and send it to the tokenvalidator for further flow. The idea here is
to omit the step to ask user name from user again if that is present
in the SAMLRequest.
1. In Keycloak I don't see NameID/BaseID/EncryptedId value from the
SAML request is putting in the client session. why?
2. I can see that keycloak is parsing the Subject/Name ID field, but
not adding to the client session? Is the any reason for this?
3. I am willing to fork the repo and do the changes.
4. Please see our SAML request
Please let me know your suggestions and ideas
Rony Joy
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://192.168.99.100:9980/auth/realms/saml-demo/protocol/saml"
ForceAuthn="false" ID="daakemmdhjmfajnhpljnckldjmcejllkffegibdj"
IsPassive="false" IssueInstant="2016-10-04T04:42:32.860Z"
Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/employee-sig-idfirst/</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedI...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:...
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><...
URI="#daakemmdhjmfajnhpljnckldjmcejllkffegibdj"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"/><ds:DigestValue>R4HTkFdDm5tYqRLGb1Wh8QUwa0o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IokRvOo8z3EES+85HvckmYYXQ/Q8DadiGHJdZmmYGpQ3VZW1MYnlBgeVwc5Dx4wsNGvRPpAsNM7ij9qGhgLUORuqZshb4YFMMqqDTzg4SoHuq2Ol7jdXo3x39hyZGKjoiC7qBxXbSml7j9UixL/7CescKvuh1xTSOBulsM4EefaY+J7Ud8ZSEMaqfCk36OaWZwq+8Ss/aZ6p31oMKu9T2dGTW7DZY3mn4Fz0aVr3lYzkaJAOQ+mMHOK8TDYlmZcc1e9l37KuKR3Z9dBawXdplHHD25vW/C0NnNfxbo90UTgN2kpDlhGSjrxW3XpvqEpEaF3DwR9Q40iD3M0+su6ZXg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC5TCCAc0CBgFWTDcTwDANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtodHRwOi8vbG9jYWxo
b3N0OjgwODAvZW1wbG95ZWUtc2lnLWlkZmlyc3QvMB4XDTE2MDgwMjE3MDMxM1oXDTI2MDgwMjE3
MDQ1M1owNjE0MDIGA1UEAwwraHR0cDovL2xvY2FsaG9zdDo4MDgwL2VtcGxveWVlLXNpZy1pZGZp
cnN0LzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9BGbuxabZxnZdlT8UwWZmT4537
zduU08apai2E3m3/xJNEKU5gcufLlYXzAoHNGvoX1j+GowKjv+Z0uypJLpFoyE9tj+ng15sO5QfE
EK5L7K0yl3W3s4AeNue6YTQjeuL0DoFVj2hUcMEZpd7gjLp/aVzk/9Rx53kIJpEOt9Y1RHql+vW2
hIeq9Qap2qkOzjPN85257hqCylfhfk7z7xgMDA6EUalU+QCMecsqEr2FDfUtE1qHPAJTMHmjK8DC
4PjtnkLroPSaUoJ1YxJtCcw1vzOrDbSsMW2J6GBtkzNMkRIJIZCqCus4C9MtAVE8hlgSAZSzwN6S
FVIj/pgYAscCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKtrEjO1MWXxQGx6dD4Ogw9fcJfjXVlY0
lsis1s7hxeaqYHZSAtNWTkFp7JltaPp6VFmBs7hPSJUvPo7z13rP+0KuoEht+VgiFlceWFNUN5ur
tYskQoN+sQ1V8Z6u/vku6fwVOQm9YpS7Nn582A2nBL4IdgCMYhpPPfN39yV24yWpv4VTrOG1q3pj
yc1IHCU+ooP8pa64gXt0T/HRRCnm+CWgwYSrhdYYG0rYxAdKQ5GhkfRhR2rx2kOgHIuxZ4e2kVla
x9zQ9fuBtDn6u4VdzoikJUiEYxt4Sb4YfvgchU1Sk4G0Y+K2oP5dPMemdsZMWqzzvrSNQrebPgsB
KYpXxA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>*<saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">username</saml2:NameID></saml2:Subject>*<saml2p:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>
1:08 p.m.
We are proposing the following changes to
"org.keycloak.protocol.saml.SamlService" Method : "loginRequest"
Method.
+ Read the Subject / NameID value from the saml Request if it is not NULL.
+ Add it to the Client Session note under SamlProtocol.SAML_NAME_ID.
The code will look something like this
//Reading subject in the saml request
SubjectType subject = requestAbstractType.getSubject();
if(subject !=null) {
SubjectType.STSubType subType = subject.getSubType();
if(subType !=null) {
BaseIDAbstractType baseID = subject.getSubType().getBaseID();
if(baseID!=null && baseID instanceof NameIDType) {
NameIDType nameID = (NameIDType) baseID;
clientSession.setNote(SamlProtocol.SAML_NAME_ID,
nameID.getValue());
}
}
}
On Wed, Oct 5, 2016 at 7:45 AM rony joy <ronyjoy(a)gmail.com> wrote:
We have a requirement to receive Username/EmailId in the
Subject/NameID
field of SAML Request. Keycloak then receive that value in a custom
authenticator
and send it to the tokenvalidator for further flow. The idea here is to omit the step to
ask user name from user again if that is present in the SAMLRequest.
1. In Keycloak I don't see NameID/BaseID/EncryptedId value from the SAML request is
putting in the client session. why?
2. I can see that keycloak is parsing the Subject/Name ID field, but not adding to the
client session? Is the any reason for this?
3. I am willing to fork the repo and do the changes.
4. Please see our SAML request
Please let me know your suggestions and ideas
Rony Joy
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://192.168.99.100:9980/auth/realms/saml-demo/protocol/saml"
ForceAuthn="false" ID="daakemmdhjmfajnhpljnckldjmcejllkffegibdj"
IsPassive="false" IssueInstant="2016-10-04T04:42:32.860Z"
Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/employee-sig-idfirst/</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedI...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:...
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><...
URI="#daakemmdhjmfajnhpljnckldjmcejllkffegibdj"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"/><ds:DigestValue>R4HTkFdDm5tYqRLGb1Wh8QUwa0o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IokRvOo8z3EES+85HvckmYYXQ/Q8DadiGHJdZmmYGpQ3VZW1MYnlBgeVwc5Dx4wsNGvRPpAsNM7ij9qGhgLUORuqZshb4YFMMqqDTzg4SoHuq2Ol7jdXo3x39hyZGKjoiC7qBxXbSml7j9UixL/7CescKvuh1xTSOBulsM4EefaY+J7Ud8ZSEMaqfCk36OaWZwq+8Ss/aZ6p31oMKu9T2dGTW7DZY3mn4Fz0aVr3lYzkaJAOQ+mMHOK8TDYlmZcc1e9l37KuKR3Z9dBawXdplHHD25vW/C0NnNfxbo90UTgN2kpDlhGSjrxW3XpvqEpEaF3DwR9Q40iD3M0+su6ZXg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC5TCCAc0CBgFWTDcTwDANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtodHRwOi8vbG9jYWxo
b3N0OjgwODAvZW1wbG95ZWUtc2lnLWlkZmlyc3QvMB4XDTE2MDgwMjE3MDMxM1oXDTI2MDgwMjE3
MDQ1M1owNjE0MDIGA1UEAwwraHR0cDovL2xvY2FsaG9zdDo4MDgwL2VtcGxveWVlLXNpZy1pZGZp
cnN0LzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9BGbuxabZxnZdlT8UwWZmT4537
zduU08apai2E3m3/xJNEKU5gcufLlYXzAoHNGvoX1j+GowKjv+Z0uypJLpFoyE9tj+ng15sO5QfE
EK5L7K0yl3W3s4AeNue6YTQjeuL0DoFVj2hUcMEZpd7gjLp/aVzk/9Rx53kIJpEOt9Y1RHql+vW2
hIeq9Qap2qkOzjPN85257hqCylfhfk7z7xgMDA6EUalU+QCMecsqEr2FDfUtE1qHPAJTMHmjK8DC
4PjtnkLroPSaUoJ1YxJtCcw1vzOrDbSsMW2J6GBtkzNMkRIJIZCqCus4C9MtAVE8hlgSAZSzwN6S
FVIj/pgYAscCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKtrEjO1MWXxQGx6dD4Ogw9fcJfjXVlY0
lsis1s7hxeaqYHZSAtNWTkFp7JltaPp6VFmBs7hPSJUvPo7z13rP+0KuoEht+VgiFlceWFNUN5ur
tYskQoN+sQ1V8Z6u/vku6fwVOQm9YpS7Nn582A2nBL4IdgCMYhpPPfN39yV24yWpv4VTrOG1q3pj
yc1IHCU+ooP8pa64gXt0T/HRRCnm+CWgwYSrhdYYG0rYxAdKQ5GhkfRhR2rx2kOgHIuxZ4e2kVla
x9zQ9fuBtDn6u4VdzoikJUiEYxt4Sb4YfvgchU1Sk4G0Y+K2oP5dPMemdsZMWqzzvrSNQrebPgsB
KYpXxA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>*<saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">username</saml2:NameID></saml2:Subject>*<saml2p:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>
10:28 p.m.
we also have a similar requirement for one of our customer. your changes
make sense to me and I am hoping your they get merged back so that we can
reuse them :)
Regards,
Muein
On Oct 6, 2016 1:11 PM, "rony joy" <ronyjoy(a)gmail.com> wrote:
We are proposing the following changes to
"org.keycloak.protocol.saml.SamlService" Method : "loginRequest"
Method.
+ Read the Subject / NameID value from the saml Request if it is not NULL.
+ Add it to the Client Session note under SamlProtocol.SAML_NAME_ID.
The code will look something like this
//Reading subject in the saml request
SubjectType subject = requestAbstractType.getSubject();
if(subject !=null) {
SubjectType.STSubType subType = subject.getSubType();
if(subType !=null) {
BaseIDAbstractType baseID = subject.getSubType().getBaseID();
if(baseID!=null && baseID instanceof NameIDType) {
NameIDType nameID = (NameIDType) baseID;
clientSession.setNote(SamlProtocol.SAML_NAME_ID,
nameID.getValue());
}
}
}
On Wed, Oct 5, 2016 at 7:45 AM rony joy <ronyjoy(a)gmail.com> wrote:
> We have a requirement to receive Username/EmailId in the Subject/NameID
> field of SAML Request. Keycloak then receive that value in a custom
> authenticator
>
> and send it to the tokenvalidator for further flow. The idea here is to
omit the step to ask user name from user again if that is present in the
SAMLRequest.
>
> 1. In Keycloak I don't see NameID/BaseID/EncryptedId value from the SAML
request is putting in the client session. why?
> 2. I can see that keycloak is parsing the Subject/Name ID field, but not
adding to the client session? Is the any reason for this?
>
> 3. I am willing to fork the repo and do the changes.
> 4. Please see our SAML request
>
> Please let me know your suggestions and ideas
> Rony Joy
>
> <?xml version="1.0"
encoding="UTF-8"?><saml2p:AuthnRequest
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="
http://192.168.99.100:9980/auth/realms/saml-demo/protocol/saml"
> ForceAuthn="false"
ID="daakemmdhjmfajnhpljnckldjmcejllkffegibdj"
> IsPassive="false" IssueInstant="2016-10-04T04:42:32.860Z"
> Version="2.0"><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
localhost:8080/employee-sig-idfirst/</saml2:Issuer><ds:Signature
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedI...:
CanonicalizationMethod
>
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:...
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><...
>
URI="#daakemmdhjmfajnhpljnckldjmcejllkffegibdj"><ds:Transforms><
ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
"/><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:
Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>R4HTkFdDm5tYqRLGb1Wh8QUwa0o=</
ds:DigestValue></ds:Reference></ds:SignedInfo><ds:
SignatureValue>IokRvOo8z3EES+85HvckmYYXQ/Q8DadiGHJdZmmYGpQ3VZW1MYnlBgeV
wc5Dx4wsNGvRPpAsNM7ij9qGhgLUORuqZshb4YFMMqqDTzg4SoHuq2Ol7jdX
o3x39hyZGKjoiC7qBxXbSml7j9UixL/7CescKvuh1xTSOBulsM4EefaY+
J7Ud8ZSEMaqfCk36OaWZwq+8Ss/aZ6p31oMKu9T2dGTW7DZY3mn4Fz0aVr3lYzkaJAOQ+
mMHOK8TDYlmZcc1e9l37KuKR3Z9dBawXdplHHD25vW/C0NnNfxbo90UTgN2kpDlhGSjrxW3Xp
vqEpEaF3DwR9Q40iD3M0+su6ZXg==</ds:SignatureValue><ds:
KeyInfo><ds:X509Data><ds:X509Certificate>MIIC5TCCAc0CBgFWTDcTwDANBgkqhk
iG9w0BAQsFADA2MTQwMgYDVQQDDCtodHRwOi8vbG9jYWxo
> b3N0OjgwODAvZW1wbG95ZWUtc2lnLWlkZmlyc3QvMB4XDTE2MDgwMjE3MDMx
M1oXDTI2MDgwMjE3
> MDQ1M1owNjE0MDIGA1UEAwwraHR0cDovL2xvY2FsaG9zdDo4MDgwL2VtcGxv
eWVlLXNpZy1pZGZp
> cnN0LzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9BGbuxabZx
nZdlT8UwWZmT4537
> zduU08apai2E3m3/xJNEKU5gcufLlYXzAoHNGvoX1j+GowKjv+Z0uypJLpFoyE9tj+
ng15sO5QfE
> EK5L7K0yl3W3s4AeNue6YTQjeuL0DoFVj2hUcMEZpd7gjLp/aVzk/
9Rx53kIJpEOt9Y1RHql+vW2
> hIeq9Qap2qkOzjPN85257hqCylfhfk7z7xgMDA6EUalU+
QCMecsqEr2FDfUtE1qHPAJTMHmjK8DC
> 4PjtnkLroPSaUoJ1YxJtCcw1vzOrDbSsMW2J6GBtkzNMkRIJIZCqCus4C9Mt
AVE8hlgSAZSzwN6S
> FVIj/pgYAscCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKtrEjO1MWXxQGx6dD4Ogw
9fcJfjXVlY0
> lsis1s7hxeaqYHZSAtNWTkFp7JltaPp6VFmBs7hPSJUvPo7z13rP+
0KuoEht+VgiFlceWFNUN5ur
> tYskQoN+sQ1V8Z6u/vku6fwVOQm9YpS7Nn582A2nBL4IdgC
MYhpPPfN39yV24yWpv4VTrOG1q3pj
> yc1IHCU+ooP8pa64gXt0T/HRRCnm+CWgwYSrhdYYG0rYxAdKQ5GhkfRhR2r
x2kOgHIuxZ4e2kVla
> x9zQ9fuBtDn6u4VdzoikJUiEYxt4Sb4YfvgchU1Sk4G0Y+
K2oP5dPMemdsZMWqzzvrSNQrebPgsB
> KYpXxA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></
ds:Signature>*<saml2:Subject
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
unspecified">username</saml2:NameID></saml2:Subject>*<saml2p:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
unspecified"/></saml2p:AuthnRequest>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3003
days inactive
3005
days old
2 comments
2 participants
participants (2)
-
Muein Muzamil -
rony joy