Hi,

 

I’m trying to integrate Keycloak with a SAML SP, but unfortunately it is not working yet. I created a Identity Provider in the admin interface.

 

I guess the problem is that in the AuthnRequest which is send by a http post to the SP the AuthnRequest contains a NameIDPolicy:

 

 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

 

    ….

 

    <samlp:NameIDPolicy AllowCreate="true"

                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

                        />

</samlp:AuthnRequest>

 

 

 

 

But according to the documentation of the SP I must send

 

 

 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

 

    ….

 

<samlp:RequestedAuthnContext Comparison="minimum">

<saml:AuthnContextClassRef>

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

</saml:AuthnContextClassRef>

</samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

 

 

Is this possible with Keycloak? And if so, how can this be done?

 

Kind regards,

 

Sjef Hoeks