You can implement your own IdentityProvider and IdentityProviderFactory. In your case, you can just extend (or copy) the org.keycloak.broker.saml.SAMLIdentityProvider.
In your case, you’ll want to implement IdentityProviderFactory and put that in your services folder (or use the AutoService annotation, as I did in the example above, which does it for you).
Also, if you’re just making a few changes to the SAMLIdentityProviderFactory, why not just extend that class and override the methods you need to?
If you have a better idea, I am completely open and very thankful for your input:
The IDP is not providing a destination attribute in the sampResponse. Therefore I need to add it / disable the validation. We can not change the IDP in any way.
The current approach is just copying the default SAML broker and add it customised. The issue I have right now is, that the module can not get some core classes:
maybe you can have another look.
Tested my “custom” SAML Broker Plugin locally in a comparable setup and it worked just as the default plugin.
Logfile:
11:24:58,926 INFO [saml.PGKSAMLIdentityProvider] (default task-2) authnRequest: ID_b6f63ad8-511d-4653-ac84-42d7418e59d5 OIDC-Liferay
11:24:59,014 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-2) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:24:59,034 WARN [org.keycloak.saml.common] (default task-2) XML External Entity switches are not supported. You may get XML injection vulnerabilities.
11:25:18,178 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:25:18,180 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:25:18,181 INFO [saml.PGKSAMLEndpoint] (default task-1) clientId: OIDC-Liferay, tabId: cg-8Rc-c024, code: vpC2Qd_fe0zN49GPZLV5pl6tNpe_H0dDsvfu0bdTmCA
11:25:18,206 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=GK, clientId=null, userId=null, ipAddress=194.158.158.201, error=invalid_code
11:34:17,692 INFO [saml.PGKSAMLIdentityProvider] (default task-2) authnRequest: ID_5d41c6df-0f0c-45a5-851a-1bd731b0bd95 OIDC-Liferay
11:34:17,694 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-2) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,968 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,969 WARN [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
11:35:25,969 INFO [saml.PGKSAMLEndpoint] (default task-1) clientId: OIDC-Liferay, tabId: wZq0Bu_uwCw, code: ZXv383hqmkeifpyvLTtNw-sbdCMADY8zqyO_ZYuMV9I
11:35:25,972 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=GK, clientId=null, userId=null, ipAddress=194.158.158.201, error=invalid_code
no not really available.
I spent some time to setup a local test environment with one app, one IDP, one SP and used my custom broker. In this scenario everything worked.
I found out that the IDP is using an unsecure connection to keycloak, which caused Chrome to prevent creating the sessionAuthCookie.
Heavy debugging it was
Thanks!