Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4374

Support SAML 2.0 AttributeValue AnyType

    XMLWordPrintable

    Details

      Description

      Hi,

      KeyCloak does not support Identity Brokering with a SAML 2.0 identity provider which may or may not return attribute values with complex content (AnyType, with or without specifying the xsi:type of the Element inside the AttributeValue).

      Example AttributeValue Anytype
          <saml2:Attribute Name="attr:notype:element" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <Name xml:lang="nl" xmlns="urn:be:fgov:complextype:v1">Hospitaal x</Name>
            </saml2:AttributeValue>
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <Name xml:lang="fr" xmlns="urn:be:fgov:complextype:v1">hopital x</Name>
            </saml2:AttributeValue>
          </saml2:Attribute>
      

      KeyCloak throws an exception when it receives such an AttributeValue in the Assertion of an Identity Provider, even if it won't do anything with that Attribute.

      That's not very friendly.
      It would be better to give a warning and just skip the AttributeValue so it doesn't block the whole process.
      Even better would be to actually support complex values, as defined in the SAML 2.0 specs.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pskopek Peter Škopek
                  Reporter:
                  frederik.libert Frederik Libert
                  Tester:
                  Michal Hajas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: