Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      we are trying to use Keycloak as identity broker to an external SAML2 idp (Shibboleth).
      The identification request are not accepted from that idp because in the request xml they expect these lines:

        <saml2p:RequestedAuthnContext Comparison="exact">
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                     urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
           </saml2:AuthnContextClassRef>
        </saml2p:RequestedAuthnContext>
      

      that have to be nested in the saml2p:AuthnRequest tag.
      Searching the web we understood that, with Keycloak as a SAML2 idp, there are only two option for AuthnContextClassRef: disable AuthnContext or have urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified while there are no documentation for Keycloak as broker to an external SAML2 idp.
      We need to add these information into our requests otherwise they will be rejected.

      Can you add this feature to manage and a gui to configure this options?

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  denis.miorandi Denis Miorandi
                • Votes:
                  11 Vote for this issue
                  Watchers:
                  20 Start watching this issue

                  Dates

                  • Created:
                    Updated: