search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.08k stars 6.59k forks source link

Add customized AuthnContextClassRef for SAML client #11721

Open alexwang-rh opened 2 years ago

alexwang-rh commented 2 years ago

Description

Add a configurable attribute to be included in SAML response for specific SAML client. We need RH-SSO to act as IDP to interact with a Microsoft ADFS as broker to its relying party, which requires AuthnContextClassRef to be explicitly passed. The requirement is, for a SAML client which has enabled "Include AuthnStatement", to add a text box to enter a fixed value, to be included in the SAML response in section </saml:AuthnContextClassRef>

Discussion

No response

Motivation

No response

Details

No response

nxadm commented 2 years ago

The exact same requirement is needed when Keycloak is a broker for a Shibboleth IDP (e.g. to enforce MFA).

darius-m commented 1 year ago

If multi-factor authentication is required and Microsoft AD expects the identity provider (Keycloak) to perform the multi-factor authentication step, the browser gets stuck in a redirect loop - Microsoft requests multiple authentication, but because Keycloak answers using an unspecified authentication context class, Microsoft requests user authentication from the IdP again and the flow is repeated a few times, until Microsoft gives up and simply reports that authentication had failed.

This issue can be somewhat easily reproduced if federated login is configured - if the user has configured a second factor in Microsoft, the security-info endpoint in their account console seems to always require MFA; when accessing this endpoint, the browser will remain stuck in a redirect loop between Microsoft and Keycloak.

From a quick look at the code, it appears that the unspecified claim is always used in the SAML protocol's authenticated method. The fix that uses a fixed class / string, as mentioned above may fix the issue, but may not be flexible enough, in case more than just one context should be set depending on the authentication mechanisms used (e.g., step-up authentication for SAML is implemented, as mentioned in #10155).

@hmlnarik @mhajas could you take a look at this? Redirect loops without obvious errors are hard to debug, and the SP may be in the right to think that more than one redirect could be required, e.g., if something like step-up authentication is implemented.

menardorama commented 1 year ago

Hi This is also an issue for example when having an external MFA like Cisco Duo on keycloak We are having all of our users secured using and additionnal provider on Duo and need to a specific saml client answer a valid AuthnContext.

I hope that this will be solved soon :-)

joeri-jansen commented 1 year ago

Same issue with Gitlab that requires 2FA. This is a real blocker for us to migrate to a single 2FA token, which is enforced by Keycloak instead of separate 2nd factors in all applications. I assume it isn't that hard to set/extract if 2FA is used from the AuthenticationSessionModel and/or UserSessionModel...

techmikal commented 3 months ago

+1 for this