we are trying to use Keycloak as identity broker to an external SAML2 idp (Shibboleth).
The identification request are not accepted from that idp because in the request xml they expect these lines:
that have to be nested in the saml2p:AuthnRequest tag.
Searching the web we understood that, with Keycloak as a SAML2 idp, there are only two option for AuthnContextClassRef: disable AuthnContext or have urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified while there are no documentation for Keycloak as broker to an external SAML2 idp.
We need to add these information into our requests otherwise they will be rejected.
Can you add this feature to manage and a gui to configure this options?