Access SAML assertion values in post-broker-login-flow authenticator

Hi,

My KC setup authenticates the users by SAML brokering, via a standard Shibboleth IdP. In the post-broker-login flow I have a JS-based authenticator to process some of the user’s attributes. A requirement is now, to read some special assertion values provided by the SAML-IdP. The problem is, the values are not delivered as normal user attributes, but in the <AuthnStatement> <AuthnContextClassRef> part of the SAML response. So there are no IdP attribute mappers we can use to extract the values and import them as normal KC user attributes.

I tried for hours with the mapped-in objects like AuthenticationFlowContext or AuthenticationSessionModel as described here Server Developer Guide, but with no luck. I can read client notes, realm info and the user’s whole profile/attributes, but nothing which leads to the brokered identity context…

Any ideas?