Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13950

SAML2 Identity Provider - Send Subject in SAML requests

    Details

    • Type: Enhancement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 9.0.3
    • Fix Version/s: 12.0.0
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Motivation

      When working with SAML IDPs, it is currently not possible to send a Subject. This subject can prefill the username input field during the login process.

      As mentionned by Hynek Mlnařík in KEYCLOAK-13858, the Subject is an optional standard element of SAML requests: See https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2017 and below.

      Another motivation: this is impossible to achieve this using `SamlAuthenticationPreprocessor` because:

      • There is nothing from the request url available in the `clientSession`
      • `SAMLRequestWriter` does not write the subject in the request

      Solution

      This PR takes a query parameter named `login_hint` into account and add it to the SAML Request as a Subject element. When no login_hint is provided, no Subject is added to the request.

      This does not require any change in the identity provider configuration.

      Limitations

      Pay attention that several IDPs do not support the Subject element of SAML. For instance: ADFS simply ignores it: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#subject

      login_hint

      Why a `login_hint` and not a `subject` query parameter? I believe Keycloak exposes its Identity Providers (SAML or not) as an OpenID facade and then redirect the requests to the appropriate providers.
      Considering OpenID already has a standard `login_hint` query parameter, this makes sense to support the same contract.

      Usage

      By default, a social button pointing to a SAML Identity Provider redirects the user to a login URL `http[s]://

      {host:port}

      /auth/realms/

      {realm-name}

      /broker/

      {broker-alias}

      /login?<query-parameters>`
      Adding a `login_hint` query parameter to this URL will add its value to SAML request as a Subject attribute.

      Pull requests

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                looorent Lorent Lempereur
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: