-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Step-up authentication for SAML clients #10155
Comments
Added to Keycloak 18, but can be postponed to later. |
Hi, here is an extra link for integration between webauthn and saml from FIDO alliance. It provides example how the SAML client can request a specific authentification level or authentication method. : https://fidoalliance.org/integrating-fido-and-federation-protocols/ What would be useful from my point of view would be the ability to somehow establish a link between an authentication flow outcome and some OID Acr_values / SAML authncontextclassref |
Hi, is there any news on this issue? This is the fragment of the SAML2 response:
|
Hi there, A client of ours is working with Azure, and we have to disable security We have no idea how long this will be possible, so we would be much more Question is: can we expect this issue to be resolved in a near future? and how |
Description
We may need to have support for SAML clients on the server side, so that SAML client has a way to send SAML request to the Keycloak server and request step-up authentication. Support in SAML adapters is not a priority right now.
SAML specification has some possibility to request ACR levels by
<RequestedAuthnContext>
parameter in the SAML authentication request. More described in the design https://github.com/keycloak/keycloak-community/blob/main/design/multi-factor-admin-and-step-up.md#saml .Hynek mentioned in the discussion #10120 :
<saml:AuthnContextClassRef>
element takes anyURI, so e.g.urn:keycloak:loa:FOO
orurn:keycloak:acr:BAR
would be allowed values. Perhaps this would enable aligning OIDC and SAML implementation step-up-authentication-wise?Few more older JIRAs for the reference:
https://issues.redhat.com/browse/KEYCLOAK-15205 Add customized AuthnContextClassRef for SAML client
https://issues.redhat.com/browse/KEYCLOAK-5224 Fill in saml2p:AuthnRequest section
https://issues.redhat.com/browse/KEYCLOAK-17788 Support setting AuthnContextClassRef in SAML response to SP
Discussion
No response
Motivation
No response
Details
No response
The text was updated successfully, but these errors were encountered: