Extension to SamlAuthenticationPreprocessor to process SAML-Response from brokered IDP BEFORE Parsing

Skip to first unread message


Oct 18, 2021, 6:48:32 AMOct 18
to Keycloak Dev
We are still having the issue reported in
and handled in

because the SAML Reponse from the brokered IDP in our case has the format

<saml2:Attribute Name="Unternehmensanschrift"> <saml2:AttributeValue xmlns:ekona="http://www.elster.de/schema/ekona/saml/extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ekona:AdresseType"> <ekona:Typ>Inland</ekona:Typ> <ekona:Strasse>Zillestraße</ekona:Strasse> <ekona:Hausnummer>99</ekona:Hausnummer> <ekona:PLZ>10585</ekona:PLZ> <ekona:Ort>Berlin</ekona:Ort> <ekona:Ortsteil>Charlottenburg</ekona:Ortsteil> <ekona:Land>DE</ekona:Land> </saml2:AttributeValue> </saml2:Attribute>

and the Keycloak-Parser (still) throws an Exception here.

I appreciate the idea of hmlnarik (Hynek) to introduce custom parsers, but cannot provide the implementation of it (mostly due to lack of skills I'm afraid).

In the meantime I suggest extending SamlAuthenticationPreprocessor previously introduced by Gideon Caranzo (https://github.com/keycloak/keycloak/pull/6044) by one more Method, that jumps in AFTER the login returns from the external IDP but BEFORE the SAML-Response ist parsed, so it would be possible for us to manipulate the XML.

I would introduce the following code in class SAMLEndpoint in method handleLoginResponse in the beginning:

            if (holder != null) {
                for(Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext();) {
                    holder = it.next().beforeParsingLoginResponse(holder, responseType, session, config);

and the corresponding Preprocessor in Interface SamlAuthenticationPreprocessor:

     * Called before a login response is parsed.
    default SAMLDocumentHolder beforeParsingLoginResponse(SAMLDocumentHolder holder, ResponseType responseType, 
            KeycloakSession session, SAMLIdentityProviderConfig config) {
        return holder;

Would that be acceptable by the community? Then I would open a PR for this.


Tobias Häfner

Oct 19, 2021, 2:11:43 AMOct 19
to Keycloak Dev
We have the same problem and are also interested in finding a solution.
Reply all
Reply to author
0 new messages