3:10 p.m.
Hi Hynek,
Thank you for your response. Yes, I agree with you. It would be good to have this
mechanism in those areas as well.
I already have a PR ready for just the SAML login portion. Is it fine with you if I submit
this first so that we can use it as early as possible? We can create a separate ticket to
implement similar mechanism for other SAML messages and broker endpoint which can be done
in near future.
Thanks,
Gideon
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Hynek Mlnarik
Sent: Thursday, January 24, 2019 1:58 AM
To: Gideon Caranzo <gideonray(a)gmail.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
Hi Gideon,
thanks for the idea. Something like that would be a useful enhancement. The implementation
would need to cover also the broker endpoint, other SAML message types (extensions are
part of message types other than AuthnRequest as well), and count on several
implementations of the hypothetical SamlAuthenticationPreprocessor. Could you please file
an "Enhancement" JIRA?
--Hynek
On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray(a)gmail.com> wrote:
Hi All,
I'd like to propose a feature that allows custom authenticators to
handle SAML extensions, authentication context and other request attributes.
Right now in OIDC, all request claims are passed to custom
authenticators which allows for customized behavior depending on the claims.
However, this is not the case for SAML. Only attributes that are
explicitly set (e.g. NameID) in the auth session are passed to custom authenticators.
Information like SAML extension and authentication context are not
available which limits the ability to define custom behaviors. In the
past, we ran into similar limitation and we had to update keycloak
core to add support for NameID attribute.
To solve this, we can have an optional hook that pre-process SAML
login request right before authentication. The hook can then extract
the needed attributes and set it accordingly for custom authenticators to process.
The pre-processing will be done in
*SamlService.BindingProtocol.loginRequest()*:
*public* *class* SamlService *extends* AuthorizationEndpointBase {
*. . .*
*public* *abstract* *class* BindingProtocol {
. . .
*protected* Response loginRequest(String relayState,
AuthnRequestType requestAbstractType, ClientModel client) {
. . .
SamlAuthenticationPreprocessor preProcessor = session
.getProvider(SamlAuthenticationPreprocessor.*class*);
*if* (preProcessor != *null*) {
preProcessor.process(requestAbstractType, authSession);
}
*return* newBrowserAuthentication(authSession,
requestAbstractType.isIsPassive(), redirectToAuthentication);
}
Let me know what you think. Thanks.
Best regards,
Gideon
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
ts.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cgi
deon.caranzo%40gemalto.com%7C6f947d88676b4f788b2108d681d1d529%7C37d0a9
db7c464096bfe31add5b495d6d%7C0%7C0%7C636839135555784466&sdata=Yhpx
28KFJWJGa1kv1ROWWqJd3nt60YvAb0YmeKUU5Mg%3D&reserved=0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
________________________________
This message and any attachments are intended solely for the addressees and may contain
confidential information. Any unauthorized use or disclosure, either whole or partial, is
prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if
altered, changed or falsified. If you are not the intended recipient of this message,
please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from
viruses, the sender will not be liable for damages caused by a transmitted virus.
9:48 p.m.
New subject: passing SAML extensions and context to custom authenticators
Hi,
I'd like to bring up this topic again about adding support for preprocessing SAML
requests to allow handling of SAML extensions, authentication context and other request
attributes.
I have submitted a JIRA ticket and PR 4 months ago
(https://issues.jboss.org/browse/KEYCLOAK-9936 ).
What do you think about the proposed solution? Please let me know if you have other ideas,
I'll be happy to work on this enhancement.
Best regards,
Gideon
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Caranzo Gideon
Sent: Wednesday, January 30, 2019 3:10 PM
To: Hynek Mlnarik <hmlnarik(a)redhat.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
Hi Hynek,
Thank you for your response. Yes, I agree with you. It would be good to have this
mechanism in those areas as well.
I already have a PR ready for just the SAML login portion. Is it fine with you if I submit
this first so that we can use it as early as possible? We can create a separate ticket to
implement similar mechanism for other SAML messages and broker endpoint which can be done
in near future.
Thanks,
Gideon
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Hynek Mlnarik
Sent: Thursday, January 24, 2019 1:58 AM
To: Gideon Caranzo <gideonray(a)gmail.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
Hi Gideon,
thanks for the idea. Something like that would be a useful enhancement. The implementation
would need to cover also the broker endpoint, other SAML message types (extensions are
part of message types other than AuthnRequest as well), and count on several
implementations of the hypothetical SamlAuthenticationPreprocessor. Could you please file
an "Enhancement" JIRA?
--Hynek
On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray(a)gmail.com> wrote:
Hi All,
I'd like to propose a feature that allows custom authenticators to
handle SAML extensions, authentication context and other request attributes.
Right now in OIDC, all request claims are passed to custom
authenticators which allows for customized behavior depending on the claims.
However, this is not the case for SAML. Only attributes that are
explicitly set (e.g. NameID) in the auth session are passed to custom authenticators.
Information like SAML extension and authentication context are not
available which limits the ability to define custom behaviors. In the
past, we ran into similar limitation and we had to update keycloak
core to add support for NameID attribute.
To solve this, we can have an optional hook that pre-process SAML
login request right before authentication. The hook can then extract
the needed attributes and set it accordingly for custom authenticators to process.
The pre-processing will be done in
*SamlService.BindingProtocol.loginRequest()*:
*public* *class* SamlService *extends* AuthorizationEndpointBase {
*. . .*
*public* *abstract* *class* BindingProtocol {
. . .
*protected* Response loginRequest(String relayState,
AuthnRequestType requestAbstractType, ClientModel client) {
. . .
SamlAuthenticationPreprocessor preProcessor = session
.getProvider(SamlAuthenticationPreprocessor.*class*);
*if* (preProcessor != *null*) {
preProcessor.process(requestAbstractType, authSession);
}
*return* newBrowserAuthentication(authSession,
requestAbstractType.isIsPassive(), redirectToAuthentication);
}
Let me know what you think. Thanks.
Best regards,
Gideon
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
ts.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cgi
deon.caranzo%40gemalto.com%7C6f947d88676b4f788b2108d681d1d529%7C37d0a9
db7c464096bfe31add5b495d6d%7C0%7C0%7C636839135555784466&sdata=Yhpx
28KFJWJGa1kv1ROWWqJd3nt60YvAb0YmeKUU5Mg%3D&reserved=0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
________________________________
This message and any attachments are intended solely for the addressees and may contain
confidential information. Any unauthorized use or disclosure, either whole or partial, is
prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if
altered, changed or falsified. If you are not the intended recipient of this message,
please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from
viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
________________________________
This message and any attachments are intended solely for the addressees and may contain
confidential information. Any unauthorized use or disclosure, either whole or partial, is
prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if
altered, changed or falsified. If you are not the intended recipient of this message,
please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from
viruses, the sender will not be liable for damages caused by a transmitted virus.
1692
days inactive
1911
days old
1 comments
2 participants
participants (2)
-
Caranzo Gideon -
Caranzo Gideon