[keycloak-dev] SAML 2.0 AttributeValue AnyType

frelibert at yahoo.com frelibert at yahoo.com
Thu Feb 2 16:00:18 EST 2017 

Hi,
I need to integrate my keycloak server with a SAML 2.0 identity provider which, for some attributes, returns values with complex content (AnyType, without specifying the type of the Element).
e.g.
<saml2:Attribute Name="attr:notype:element" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">        <Name xml:lang="nl" xmlns="urn:be:fgov:complextype:v1">Hospitaal x</Name>      </saml2:AttributeValue>      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">        <Name xml:lang="fr" xmlns="urn:be:fgov:complextype:v1">hopital x</Name>      </saml2:AttributeValue>    </saml2:Attribute>
KeyCloak throws an exception when parsing such an AttributeValue in a received Assertion.That's not very friendly.It would be better to give a warning and just skip the AttributeValue so it doesn't block the whole process.But even better would be to actually support complex values, as the SAML 2.0 specs do so.There is actually an easy fix to this.I allready implemented this last year when I integrated that same Identity Provider using PicketLink, which had the same flaw.As PicketLink has become deprecated in favor of KeyCloak, we are trying to move on to KeyCloak.Are you prepared to add support for complex values?The infected class is actually completely the same (I suppose you integrated the code of PicketLink):
org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil.parseAttributeValue(XMLEventReader)

My fix is to use the existing process flow if possible but to go for a default behaviour where now an exception is thrown:parse the content of the AttributeValue as a String, including the xmltags.For non-xml values, this will end up as a simple string, for complex xml values, this will end up as a string with xml tags in it.This prevents impact in other parts of the code as it is nothing more then a string.
I allready tested it in my local keycloak server and KeyCloak has no problems with it further down the road.
If the SAML attribute is mapped to a User attribute, it shows the xmlstring in the user attribute value.If the User Attribute is used in a response, the xmlstring is escaped in the resulting Assertion, which is ok.
I can create a pull request for this, it's actually one extra method in SAMLParserUtil.You can find the updated class in attachment.There are no other differences between the branch 2.5.x and the master.

More information about the keycloak-dev mailing list