is there a way to get hold of the AuthenticatingAuthority in the AuthnContext from a SAML Assert via a mapper or similar? I need it to know which IdP was used for logging in when later wanting to sign a document using the same IdP. I am using a federated set of IdP, which is handled outside Keycloak since it only has brokering.
Thanks for the suggestion, but that was my first thought as well. But I have only found the two attributes identity_provider and identity_provider_identity mentioned in sessions notes (maybe there are more?). The identity_provider only contains the brokers id, not the entityid of the upstream IdP. Or maybe I can get the proxy to provide it as an attribute as well as in the AuthnContext, as a workaround … but then I still cannot provide it in the session note, only as a user attribute based on a mapper.