[keycloak-user] AuthnRequest Customizations

Romstorfer, Georg Georg.Romstorfer at cryptas.com
Wed Aug 7 03:33:55 EDT 2019


Hello,

We want to migrate from OpenAM to Keycloak. There are some customizations implemented in OpenAM, which we have to implement in Keycloak as well, because we cannot change all the SPs.
All the SPs are using SAML at the moment. Here is a sample AuthnRequest which shows the customizations:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s29d5b47"
Version="2.0"
IssueInstant="2010-03-08T12:10:48Z"
AttributeConsumingServiceIndex="1">

<saml:Issuer>https://demo-sp.cryptas.com</saml:Issuer<https://demo-sp.cryptas.com%3c/saml:Issuer>>
<samlp:NameIDPolicy Format="urn:com:cryptas:idp-service:names:nameid-format:PEID" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>urn:li:llv:ida-service:names:ac:classes:assurance-level:2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Here is the description of the customizations implemented for this request. It would be very helpful if you could provide me with some hint
on how this could be implemented in Keycloak.

  1.  The AttributeConsumingServiceIndex attribute maps to a list of attributes that should be returned.
  2.  We are using a custom Format for the NameIDPolicy. We will also implement a custom User Storage SPI. Can I handle that format in there, or
do I have to implement something else so that Keycloak can cope with it?
  3.  There is an AuthnContextClassRef. Its value maps to a list of IDPs which should be selectable on the Login Page. I have seen that there is a static configuration
value “hideOnLoginPage” for each IDP. But we need that more dynamic and dependant on this AuthnContextClassRef value.

Thanks for your help,
Georg



More information about the keycloak-user mailing list