Custom SPI for OIDC-to-SAML Broker
Bobby
I’m planning to connect my SP (OIDC) client to a SAML IDP through Keycloak SAML Broker.
I have got zero control on the SAML IDP, but full on Keycloak/broker and the SP/OIDC client.
My problem is:
#1 The SAML IDP is fully trusted for my use-case, but it responds with a Token carried the Subject of SAML response (inside the saml2:NameID which is persistent) and also in a another attribute/claim (same token).
#2 The token should be sent back in the response to OIDC client, then client should POST it to a different API to finally get the actual user attributes.
I have no interest in creating/importing the IDP users into broker/Keycloak, however, to store the IDP token carried in SAML response I thought to map the attribute/claim (which carries the token) to a user attribute, then remove the user entries regularly from my Keycloak User Storage. This works fine, but:
#3 Obviously it seems that it doesn’t make sense to store the whole token in Keycloak’s MySQL column USERNAME in USER_ENTITY table (SAML NameID == identity_provider_identity). So, I had another idea where I should generate a shorter Username from that token, store the user and the token as a user attribute, then the client would get the token from POSTing to Keycloak Userinfo endpoint.
#4 I need to skip the login (User/Pass)
step in the 1st Broker Login flow, but I’m not good in Java, and have
tried by best to understand the Custom Authenticator implementation with
no luck – couldn’t find some guides or so.
My ultimate goal is for SAML token to reach the OIDC client.
I assume my problems (#3 & 4) would require a custom Authentication SPI/Flow, but I’m open to any suggestion indeed.
Looking forward for kind help.
Regards,
-Bobby