Keycloak and SAML RequestedAuthnContext
176 views
Skip to first unread message
valerie bauche
Mar 26, 2024, 11:51:52 AM3/26/24
to Keycloak User
Hi,
I'm using Keycloak 22 and I configured an external SAML Identity provider.
For this IDP I was able to configure a requested AuthnContext Constaint so the the SAML Request to this IDP is sent with
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
The external IDP replies with an assertion containing :
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
So it's not correct : the authnContext is not the requested one
Keycloak should refuse this assertion but it accepts it without any problem...
Is it a bug ? Why should we configure a requested AuthnContext Constaint if it's not verified ?
is there another way to request an authentication level from an external SAML IDP ?
Thanks !
Reply all
Reply to author
Forward
0 new messages