SAML 2 extensions in AuthnRequest (Keycloak)

Question

I'm doing SAML authentication with the Keycloak adapter and I need to use SAML2 extensions in the AuthnRequest message. Is this possible?

My idP provides localized login pages. A language code can be supplied with a SAML2 extension in the AuthnRequest.

Everything works fine if I use the default language (no extensions).

My idp also allows to define the set of valid languages in the service provider metadata. I only need to support three languages, so one workaround would be to register a different service provider for every language. I could define the language in the sp metadata and have three separate URLs in my service for the authentication.

I use Wildfly 10.

Any thoughts?

I ran the code with a debugger and it seems that the AuthnRequest message builder (SAML2AuthnRequestBuilder) supports extensions, but there is no way to configure them. Extensions can be set on the builder object, but that feature is not used. — O. K., Jan 13 '17 at 15:34

score 2 · Answer 1 · answered Oct 04 '17 at 20:33

Turns out you can extend org.keycloak.broker.saml.SAMLIdentityProvider and override performLogin() and add extensions with SAML2AuthnRequestBuilder.addExtension(). Follow the examples at: https://github.com/keycloak/keycloak/tree/master/examples/providers for deployment considerations and exact implementation.

SAML 2 extensions in AuthnRequest (Keycloak)

1 Answers1