Open alexwang-rh opened 2 years ago
The exact same requirement is needed when Keycloak is a broker for a Shibboleth IDP (e.g. to enforce MFA).
If multi-factor authentication is required and Microsoft AD expects the identity provider (Keycloak) to perform the multi-factor authentication step, the browser gets stuck in a redirect loop - Microsoft requests multiple authentication, but because Keycloak answers using an unspecified authentication context class, Microsoft requests user authentication from the IdP again and the flow is repeated a few times, until Microsoft gives up and simply reports that authentication had failed.
This issue can be somewhat easily reproduced if federated login is configured - if the user has configured a second factor in Microsoft, the security-info
endpoint in their account console seems to always require MFA; when accessing this endpoint, the browser will remain stuck in a redirect loop between Microsoft and Keycloak.
From a quick look at the code, it appears that the unspecified claim is always used in the SAML protocol's authenticated method. The fix that uses a fixed class / string, as mentioned above may fix the issue, but may not be flexible enough, in case more than just one context should be set depending on the authentication mechanisms used (e.g., step-up authentication for SAML is implemented, as mentioned in #10155).
@hmlnarik @mhajas could you take a look at this? Redirect loops without obvious errors are hard to debug, and the SP may be in the right to think that more than one redirect could be required, e.g., if something like step-up authentication is implemented.
Hi This is also an issue for example when having an external MFA like Cisco Duo on keycloak We are having all of our users secured using and additionnal provider on Duo and need to a specific saml client answer a valid AuthnContext.
I hope that this will be solved soon :-)
Same issue with Gitlab that requires 2FA. This is a real blocker for us to migrate to a single 2FA token, which is enforced by Keycloak instead of separate 2nd factors in all applications. I assume it isn't that hard to set/extract if 2FA is used from the AuthenticationSessionModel and/or UserSessionModel...
+1 for this
Description
Add a configurable attribute to be included in SAML response for specific SAML client. We need RH-SSO to act as IDP to interact with a Microsoft ADFS as broker to its relying party, which requires AuthnContextClassRef to be explicitly passed. The requirement is, for a SAML client which has enabled "Include AuthnStatement", to add a text box to enter a fixed value, to be included in the SAML response in section</saml:AuthnContextClassRef>
Discussion
No response
Motivation
No response
Details
No response