-
Epic
-
Resolution: Done
-
Major
-
None
1. What is the nature and description of the request?
KeyCloak does not support Identity Brokering with a SAML 2.0 identity provider which may or may not return attribute values with complex content (AnyType, with or without specifying the xsi:type of the Element inside the AttributeValue).
KeyCloak throws an exception when it receives such an AttributeValue in the Assertion of an Identity Provider, even if it won't do anything with that Attribute.
That's not very friendly.
It would be better to give a warning and just skip the AttributeValue so it doesn't block the whole process.
Even better would be to actually support complex values, as defined in the SAML 2.0 specs.
2. Why does the customer need this? (List the business requirements here)
We need integration with a brokered idp that returns complexType attributeValues.
3. How would the customer like to achieve this? (List the functional requirements here)
When the assertion of a brokered idp is parsed, no exception should be thrown if complexType AttributeValue elements are encountered.
4. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
As our brokered idp returns complexType attributeValues, we can easily test this by authenticating to that IDP and see what happens on return.
Furthermore, the issue is allready added to keycloak jira project with a pull request that contains a test.
5. Is there already an existing RFE upstream or in Red Hat Bugzilla?
https://issues.jboss.org/browse/KEYCLOAK-4374
6. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
ASAP.
We want to start integration with this idp.
Without a fix, we can't fully integrate with it.
We developed the fix ourselves (see pullrequest of jira issue).
We'd like to get rid of our own patch as soon as possible.
7. List any affected packages or components.
Identity Brokering
8. Would the customer be able to assist in testing this functionality if implemented?
Yes.
- links to