my apologies for late reply.
The aim is to keep AuthenticationSession small for performance reasons. I
understand that for your use case you need to store that data inside the
AuthSession. I'd be reluctant to unconditionally include the AuthnContext /
SAML Extensions into the AuthenticationSession because both the
performance, and I also suspect that this unconditional inclusion of
potentially huge data could be also exploited in attack with specially
crafted SAML message. Yet I wonder whether you would like to do that
There is a community request to add support for SAML document preprocessing
in . Perhaps this could be the way to achieve your goal - to hook into
such a mechanism and store whatever needs to be stored in the
authentication session in a custom handler. Would that work for you?
On Mon, Jun 24, 2019 at 7:57 AM Roland <contributing.to.keycloak(a)gmail.com>
Any remarks on this? Did anyone get the chance to take a look?
---------- Forwarded message ---------
Von: Roland <contributing.to.keycloak(a)gmail.com>
Date: Mi., 19. Juni 2019 um 14:04 Uhr
Subject: Add SAML Extensions (and AuthContext) as another client note to
the AuthenticationSessionModel in SamlService
when a SAML Request is received in Keycloak, the method loginRequest in
abstract class BindingProtocol in class
org.keycloak.protocol.samlSamlService puts the information from the request
into the AuthenticationSessionModel in this section of code:
What we are missing here is the SAML Extensions, which happen to be in the
SAML Request which we receive, and which we want to pass on to a brokered
external Identity Provider.
For example something like this:
ExtensionsType et = requestAbstractType.getExtensions();
List<Object> list = et.getAny();
<create some kind of String representation>
authSession.setAuthNote("SAML_EXTENSION", <the String
In the same way we would also like access to the AuthContext through the
I would offer to contribute this if the community approves the idea.
Thanks and Regards,
keycloak-dev mailing list