Hi,
My KC setup authenticates the users by SAML brokering, via a standard Shibboleth IdP. In the post-broker-login flow I have a JS-based authenticator to process some of the user’s attributes. A requirement is now, to read some special assertion values provided by the SAML-IdP. The problem is, the values are not delivered as normal user attributes, but in the <AuthnStatement> <AuthnContextClassRef>
part of the SAML response. So there are no IdP attribute mappers we can use to extract the values and import them as normal KC user attributes.
I tried for hours with the mapped-in objects like AuthenticationFlowContext
or AuthenticationSessionModel
as described here Server Developer Guide, but with no luck. I can read client notes, realm info and the user’s whole profile/attributes, but nothing which leads to the brokered identity context…
Any ideas?