[keycloak-dev] Fwd: Add SAML Extensions (and AuthContext) as another client note to the AuthenticationSessionModel in SamlService

Hynek Mlnarik hmlnarik at redhat.com
Thu Sep 12 17:45:43 EDT 2019 

Hi Roland,

my apologies for late reply.

The aim is to keep AuthenticationSession small for performance reasons. I
understand that for your use case you need to store that data inside the
AuthSession. I'd be reluctant to unconditionally include the AuthnContext /
SAML Extensions into the AuthenticationSession because both the
performance, and I also suspect that this unconditional inclusion of
potentially huge data could be also exploited in attack with specially
crafted SAML message. Yet I wonder whether you would like to do that
conditionally?

There is a community request to add support for SAML document preprocessing
in [1]. Perhaps this could be the way to achieve your goal - to hook into
such a mechanism and store whatever needs to be stored in the
authentication session in a custom handler. Would that work for you?

--Hynek

[1] https://issues.jboss.org/browse/KEYCLOAK-9936

On Mon, Jun 24, 2019 at 7:57 AM Roland <contributing.to.keycloak at gmail.com>
wrote:

> Any remarks on this? Did anyone get the chance to take a look? Stian?
>
> Thanks!
> Roland
>
> ---------- Forwarded message ---------
> Von: Roland <contributing.to.keycloak at gmail.com>
> Date: Mi., 19. Juni 2019 um 14:04 Uhr
> Subject: Add SAML Extensions (and AuthContext) as another client note to
> the AuthenticationSessionModel in SamlService
> To: <keycloak-dev at lists.jboss.org>
>
>
> Hello,
>
> when a SAML Request is received in Keycloak, the method loginRequest in
> abstract class BindingProtocol in class
> org.keycloak.protocol.samlSamlService puts the information from the request
> into the AuthenticationSessionModel in this section of code:
>
>             authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
>             authSession.setRedirectUri(redirect);
>             authSession.setAction(
> AuthenticationSessionModel.Action.AUTHENTICATE.name());
>             authSession.setClientNote(SamlProtocol.SAML_BINDING,
> bindingType);
>             authSession.setClientNote(GeneralConstants.RELAY_STATE,
> relayState);
>             authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID,
> requestAbstractType.getID());
>
> What we are missing here is the SAML Extensions, which happen to be in the
> SAML Request which we receive, and which we want to pass on to a brokered
> external Identity Provider.
>
> For example something like this:
>
>             ExtensionsType et = requestAbstractType.getExtensions();
>
>             List<Object> list = et.getAny();
>             <create some kind of String representation>
>             authSession.setAuthNote("SAML_EXTENSION", <the String
> representation>);
>
> In the same way we would also like access to the AuthContext through the
> authSession.
>
> I would offer to contribute this if the community approves the idea.
>
> Thanks and Regards,
> Roland
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list