[keycloak-dev] Keycloak: NameID/BaseID/EncryptedID from SAML REQUEST is not adding to client session

rony joy ronyjoy at gmail.com
Thu Oct 6 14:08:51 EDT 2016 

We are proposing the following changes to
"org.keycloak.protocol.saml.SamlService" Method : "loginRequest" Method.
 + Read the Subject / NameID value from the saml Request if it is not NULL.
 + Add it to the Client Session note under SamlProtocol.SAML_NAME_ID.

The code will look something like this
 //Reading subject in the saml request
    SubjectType subject = requestAbstractType.getSubject();
    if(subject !=null) {
      SubjectType.STSubType subType = subject.getSubType();
      if(subType !=null) {
        BaseIDAbstractType baseID = subject.getSubType().getBaseID();
        if(baseID!=null && baseID instanceof NameIDType) {
            NameIDType nameID = (NameIDType) baseID;
            clientSession.setNote(SamlProtocol.SAML_NAME_ID,
nameID.getValue());
          }
      }
     }





On Wed, Oct 5, 2016 at 7:45 AM rony joy <ronyjoy at gmail.com> wrote:

> We have a requirement to receive Username/EmailId in the Subject/NameID
> field of SAML Request. Keycloak then receive that value in a custom
> authenticator
>
> and send it to the tokenvalidator for further flow. The idea here is to omit the step to ask user name from user again if that is present in the SAMLRequest.
>
> 1. In Keycloak I don't see NameID/BaseID/EncryptedId value from the SAML request is putting in the client session. why?
> 2. I can see that keycloak is parsing the Subject/Name ID field, but not adding to the client session? Is the any reason for this?
>
> 3. I am willing to fork the repo and do the changes.
> 4. Please see our SAML request
>
> Please let me know your suggestions and ideas
> Rony Joy
>
> <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://192.168.99.100:9980/auth/realms/saml-demo/protocol/saml"
> ForceAuthn="false" ID="daakemmdhjmfajnhpljnckldjmcejllkffegibdj"
> IsPassive="false" IssueInstant="2016-10-04T04:42:32.860Z"
> Version="2.0"><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/employee-sig-idfirst/</saml2:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
> URI="#daakemmdhjmfajnhpljnckldjmcejllkffegibdj"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>R4HTkFdDm5tYqRLGb1Wh8QUwa0o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IokRvOo8z3EES+85HvckmYYXQ/Q8DadiGHJdZmmYGpQ3VZW1MYnlBgeVwc5Dx4wsNGvRPpAsNM7ij9qGhgLUORuqZshb4YFMMqqDTzg4SoHuq2Ol7jdXo3x39hyZGKjoiC7qBxXbSml7j9UixL/7CescKvuh1xTSOBulsM4EefaY+J7Ud8ZSEMaqfCk36OaWZwq+8Ss/aZ6p31oMKu9T2dGTW7DZY3mn4Fz0aVr3lYzkaJAOQ+mMHOK8TDYlmZcc1e9l37KuKR3Z9dBawXdplHHD25vW/C0NnNfxbo90UTgN2kpDlhGSjrxW3XpvqEpEaF3DwR9Q40iD3M0+su6ZXg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC5TCCAc0CBgFWTDcTwDANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtodHRwOi8vbG9jYWxo
> b3N0OjgwODAvZW1wbG95ZWUtc2lnLWlkZmlyc3QvMB4XDTE2MDgwMjE3MDMxM1oXDTI2MDgwMjE3
> MDQ1M1owNjE0MDIGA1UEAwwraHR0cDovL2xvY2FsaG9zdDo4MDgwL2VtcGxveWVlLXNpZy1pZGZp
> cnN0LzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9BGbuxabZxnZdlT8UwWZmT4537
> zduU08apai2E3m3/xJNEKU5gcufLlYXzAoHNGvoX1j+GowKjv+Z0uypJLpFoyE9tj+ng15sO5QfE
> EK5L7K0yl3W3s4AeNue6YTQjeuL0DoFVj2hUcMEZpd7gjLp/aVzk/9Rx53kIJpEOt9Y1RHql+vW2
> hIeq9Qap2qkOzjPN85257hqCylfhfk7z7xgMDA6EUalU+QCMecsqEr2FDfUtE1qHPAJTMHmjK8DC
> 4PjtnkLroPSaUoJ1YxJtCcw1vzOrDbSsMW2J6GBtkzNMkRIJIZCqCus4C9MtAVE8hlgSAZSzwN6S
> FVIj/pgYAscCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKtrEjO1MWXxQGx6dD4Ogw9fcJfjXVlY0
> lsis1s7hxeaqYHZSAtNWTkFp7JltaPp6VFmBs7hPSJUvPo7z13rP+0KuoEht+VgiFlceWFNUN5ur
> tYskQoN+sQ1V8Z6u/vku6fwVOQm9YpS7Nn582A2nBL4IdgCMYhpPPfN39yV24yWpv4VTrOG1q3pj
> yc1IHCU+ooP8pa64gXt0T/HRRCnm+CWgwYSrhdYYG0rYxAdKQ5GhkfRhR2rx2kOgHIuxZ4e2kVla
> x9zQ9fuBtDn6u4VdzoikJUiEYxt4Sb4YfvgchU1Sk4G0Y+K2oP5dPMemdsZMWqzzvrSNQrebPgsB
> KYpXxA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>*<saml2:Subject
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">username</saml2:NameID></saml2:Subject>*<saml2p:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>
>
>

More information about the keycloak-dev mailing list