SAML protocol allows requesting to remote IdPs specific constraints on the authentication process by specifying a RequestedAuthnContext containing one or more AuthnContext references to classes or declarations.
This enhancement allows Keycloak SAML Identity Broker to request specific AuthnContexts to remote IdP. It requires small plumbing changes in the SAML Identity Provider and three additional fields in the SAML Configuration UI to enter the required parameters:
- Comparison Type: can be one of the fixed values Exact, Minimum, Maximum, Better;
- AuthnContext ClassRefs: a list of URIs corresponding to well-known types of authentication (can also have provider-specific URIs);
- AuthnContext DeclRefs: a list of URIs corresponding to a provider-specific authentication context declaration;
There is no change to AuthnRequests if no classes or declarations are set: if both ClassRefs and DeclRefs are empty, the RequestedAuthnContext element is not emitted in the AuthnRequest, otherwise the element is generated and will also have its Comparison attribute set to the Comparison Type.
Points of attention:
- Since the IdP Config does not support multivalued attributes, data is stored as a JSON-serialized array of objects;
- I have added the parameters as a separate, initially-collapsed section - if you prefer they can be merged in the already existing "SAML Config" section;
- I am not a native English speaker so any suggestion to the translation strings are welcome.
This issue replaces
KEYCLOAK-14891 which was initially meant to be just the plumbing code, but it wasn't much effort to also add the required UI and complete the feature.