Step-up authentication for SAML clients

[mposolda]

Description

We may need to have support for SAML clients on the server side, so that SAML client has a way to send SAML request to the Keycloak server and request step-up authentication. Support in SAML adapters is not a priority right now.

SAML specification has some possibility to request ACR levels by <RequestedAuthnContext> parameter in the SAML authentication request. More described in the design https://github.com/keycloak/keycloak-community/blob/main/design/multi-factor-admin-and-step-up.md#saml .

Hynek mentioned in the discussion #10120 : <saml:AuthnContextClassRef> element takes anyURI, so e.g. urn:keycloak:loa:FOO or urn:keycloak:acr:BAR would be allowed values. Perhaps this would enable aligning OIDC and SAML implementation step-up-authentication-wise?

Few more older JIRAs for the reference:
https://issues.redhat.com/browse/KEYCLOAK-15205 Add customized AuthnContextClassRef for SAML client
https://issues.redhat.com/browse/KEYCLOAK-5224 Fill in saml2p:AuthnRequest section
https://issues.redhat.com/browse/KEYCLOAK-17788 Support setting AuthnContextClassRef in SAML response to SP

Discussion

No response

Motivation

No response

Details

No response

[mposolda]

Added to Keycloak 18, but can be postponed to later.

[cbontemps]

Hi, here is an extra link for integration between webauthn and saml from FIDO alliance. It provides example how the SAML client can request a specific authentification level or authentication method. : https://fidoalliance.org/integrating-fido-and-federation-protocols/

What would be useful from my point of view would be the ability to somehow establish a link between an authentication flow outcome and some OID Acr_values / SAML authncontextclassref

[luandrea]

Hi, is there any news on this issue?
We need to integrate Keycloak as IDP using SAML, but we are struggling with the parameter saml:AuthnContextClassRef that Keycloak doesn't handle correctly, because we get in SAML2 response an unspecified value.

This is the fragment of the SAML2 response:

<saml:AuthnStatement AuthnInstant="2023-06-19T13:50:31.193Z"
                             SessionIndex="c37b5009-af35-4bfa-869d-46204d3d468d::08e69059-cbab-4202-96a7-d464643ebe06"
                             SessionNotOnOrAfter="2023-06-19T23:50:31.193Z"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>

[cdevienne]

Hi there,

A client of ours is working with Azure, and we have to disable security
defaults because of AuthnContextClassRef not being supported by keycloak. (see
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults)

We have no idea how long this will be possible, so we would be much more
comfortable not relying on it in the long run.

Question is: can we expect this issue to be resolved in a near future? and how
can we help speed things up?