We are still having the issue reported in
and handled in
because the SAML Reponse from the brokered IDP in our case has the format
<saml2:Attribute Name="Unternehmensanschrift">
<saml2:AttributeValue xmlns:ekona="
http://www.elster.de/schema/ekona/saml/extensions"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:type="ekona:AdresseType">
<ekona:Typ>Inland</ekona:Typ>
<ekona:Strasse>Zillestraße</ekona:Strasse>
<ekona:Hausnummer>99</ekona:Hausnummer>
<ekona:PLZ>10585</ekona:PLZ>
<ekona:Ort>Berlin</ekona:Ort>
<ekona:Ortsteil>Charlottenburg</ekona:Ortsteil>
<ekona:Land>DE</ekona:Land>
</saml2:AttributeValue>
</saml2:Attribute>
and the Keycloak-Parser (still) throws an Exception here.
I appreciate the idea of hmlnarik (Hynek) to introduce custom parsers, but cannot provide the implementation of it (mostly due to lack of skills I'm afraid).
In the meantime I suggest extending SamlAuthenticationPreprocessor previously introduced by Gideon Caranzo (
https://github.com/keycloak/keycloak/pull/6044) by one more Method, that jumps in AFTER the login returns from the external IDP but BEFORE the SAML-Response ist parsed, so it would be possible for us to manipulate the XML.
I would introduce the following code in class SAMLEndpoint in method handleLoginResponse in the beginning:
if (holder != null) {
for(Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext();) {
holder = it.next().beforeParsingLoginResponse(holder, responseType, session, config);
}
}
and the corresponding Preprocessor in Interface SamlAuthenticationPreprocessor:
/**
* Called before a login response is parsed.
*/
default SAMLDocumentHolder beforeParsingLoginResponse(SAMLDocumentHolder holder, ResponseType responseType,
KeycloakSession session, SAMLIdentityProviderConfig config) {
return holder;
}
Would that be acceptable by the community? Then I would open a PR for this.
Thanks!