[keycloak-user] Keycloak SAML IdP and URL parameter

Dmitry Telegin dt at acutus.pro
Mon Nov 19 14:52:00 EST 2018


Hello Sud,

Please check out this thread:
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016228.html

The problem under discussion is almost identical to yours, with the only exception being OIDC instead of SAML. But I believe the general principle (fishing request parameters out of the Referer header) remains the same.

Another question: is it possible to use SAML RelayState to pass the same parameter? Custom authenticators have direct access to that field via client session note with the same name ("RelayState"), which could let you avoid the hacks like above.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro 

On Fri, 2018-11-16 at 09:47 -0500, Sud Ramasamy wrote:
> Hi,
> 
> We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak. 
> 
> We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator.
> 
> Thanks in advance for your help.
> 
> Regards
> -sud 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list