[keycloak-dev] Keycloak: NameID/BaseID/EncryptedID from SAML REQUEST is not adding to client session
Muein Muzamil
shmuein+keycloak-dev at gmail.com
Thu Oct 6 23:28:31 EDT 2016
we also have a similar requirement for one of our customer. your changes
make sense to me and I am hoping your they get merged back so that we can
reuse them :)
Regards,
Muein
On Oct 6, 2016 1:11 PM, "rony joy" <ronyjoy at gmail.com> wrote:
> We are proposing the following changes to
> "org.keycloak.protocol.saml.SamlService" Method : "loginRequest" Method.
> + Read the Subject / NameID value from the saml Request if it is not NULL.
> + Add it to the Client Session note under SamlProtocol.SAML_NAME_ID.
>
> The code will look something like this
> //Reading subject in the saml request
> SubjectType subject = requestAbstractType.getSubject();
> if(subject !=null) {
> SubjectType.STSubType subType = subject.getSubType();
> if(subType !=null) {
> BaseIDAbstractType baseID = subject.getSubType().getBaseID();
> if(baseID!=null && baseID instanceof NameIDType) {
> NameIDType nameID = (NameIDType) baseID;
> clientSession.setNote(SamlProtocol.SAML_NAME_ID,
> nameID.getValue());
> }
> }
> }
>
>
>
>
>
> On Wed, Oct 5, 2016 at 7:45 AM rony joy <ronyjoy at gmail.com> wrote:
>
> > We have a requirement to receive Username/EmailId in the Subject/NameID
> > field of SAML Request. Keycloak then receive that value in a custom
> > authenticator
> >
> > and send it to the tokenvalidator for further flow. The idea here is to
> omit the step to ask user name from user again if that is present in the
> SAMLRequest.
> >
> > 1. In Keycloak I don't see NameID/BaseID/EncryptedId value from the SAML
> request is putting in the client session. why?
> > 2. I can see that keycloak is parsing the Subject/Name ID field, but not
> adding to the client session? Is the any reason for this?
> >
> > 3. I am willing to fork the repo and do the changes.
> > 4. Please see our SAML request
> >
> > Please let me know your suggestions and ideas
> > Rony Joy
> >
> > <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
> > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="
> http://192.168.99.100:9980/auth/realms/saml-demo/protocol/saml"
> > ForceAuthn="false" ID="daakemmdhjmfajnhpljnckldjmcejllkffegibdj"
> > IsPassive="false" IssueInstant="2016-10-04T04:42:32.860Z"
> > Version="2.0"><saml2:Issuer
> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://
> localhost:8080/employee-sig-idfirst/</saml2:Issuer><ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:
> CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
> > URI="#daakemmdhjmfajnhpljnckldjmcejllkffegibdj"><ds:Transforms><
> ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
> "/><ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:
> Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> > "/><ds:DigestValue>R4HTkFdDm5tYqRLGb1Wh8QUwa0o=</
> ds:DigestValue></ds:Reference></ds:SignedInfo><ds:
> SignatureValue>IokRvOo8z3EES+85HvckmYYXQ/Q8DadiGHJdZmmYGpQ3VZW1MYnlBgeV
> wc5Dx4wsNGvRPpAsNM7ij9qGhgLUORuqZshb4YFMMqqDTzg4SoHuq2Ol7jdX
> o3x39hyZGKjoiC7qBxXbSml7j9UixL/7CescKvuh1xTSOBulsM4EefaY+
> J7Ud8ZSEMaqfCk36OaWZwq+8Ss/aZ6p31oMKu9T2dGTW7DZY3mn4Fz0aVr3lYzkaJAOQ+
> mMHOK8TDYlmZcc1e9l37KuKR3Z9dBawXdplHHD25vW/C0NnNfxbo90UTgN2kpDlhGSjrxW3Xp
> vqEpEaF3DwR9Q40iD3M0+su6ZXg==</ds:SignatureValue><ds:
> KeyInfo><ds:X509Data><ds:X509Certificate>MIIC5TCCAc0CBgFWTDcTwDANBgkqhk
> iG9w0BAQsFADA2MTQwMgYDVQQDDCtodHRwOi8vbG9jYWxo
> > b3N0OjgwODAvZW1wbG95ZWUtc2lnLWlkZmlyc3QvMB4XDTE2MDgwMjE3MDMx
> M1oXDTI2MDgwMjE3
> > MDQ1M1owNjE0MDIGA1UEAwwraHR0cDovL2xvY2FsaG9zdDo4MDgwL2VtcGxv
> eWVlLXNpZy1pZGZp
> > cnN0LzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9BGbuxabZx
> nZdlT8UwWZmT4537
> > zduU08apai2E3m3/xJNEKU5gcufLlYXzAoHNGvoX1j+GowKjv+Z0uypJLpFoyE9tj+
> ng15sO5QfE
> > EK5L7K0yl3W3s4AeNue6YTQjeuL0DoFVj2hUcMEZpd7gjLp/aVzk/
> 9Rx53kIJpEOt9Y1RHql+vW2
> > hIeq9Qap2qkOzjPN85257hqCylfhfk7z7xgMDA6EUalU+
> QCMecsqEr2FDfUtE1qHPAJTMHmjK8DC
> > 4PjtnkLroPSaUoJ1YxJtCcw1vzOrDbSsMW2J6GBtkzNMkRIJIZCqCus4C9Mt
> AVE8hlgSAZSzwN6S
> > FVIj/pgYAscCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKtrEjO1MWXxQGx6dD4Ogw
> 9fcJfjXVlY0
> > lsis1s7hxeaqYHZSAtNWTkFp7JltaPp6VFmBs7hPSJUvPo7z13rP+
> 0KuoEht+VgiFlceWFNUN5ur
> > tYskQoN+sQ1V8Z6u/vku6fwVOQm9YpS7Nn582A2nBL4IdgC
> MYhpPPfN39yV24yWpv4VTrOG1q3pj
> > yc1IHCU+ooP8pa64gXt0T/HRRCnm+CWgwYSrhdYYG0rYxAdKQ5GhkfRhR2r
> x2kOgHIuxZ4e2kVla
> > x9zQ9fuBtDn6u4VdzoikJUiEYxt4Sb4YfvgchU1Sk4G0Y+
> K2oP5dPMemdsZMWqzzvrSNQrebPgsB
> > KYpXxA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></
> ds:Signature>*<saml2:Subject
> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
> unspecified">username</saml2:NameID></saml2:Subject>*<saml2p:NameIDPolicy
> > AllowCreate="true"
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
> unspecified"/></saml2p:AuthnRequest>
> >
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list