Getting hold of the AuthenticatingAuthority

Hi,

is there a way to get hold of the AuthenticatingAuthority in the AuthnContext from a SAML Assert via a mapper or similar? I need it to know which IdP was used for logging in when later wanting to sign a document using the same IdP. I am using a federated set of IdP, which is handled outside Keycloak since it only has brokering.

Current setup is:

Client->(Prot OIDC)->Keycloak (16/17)->(Prot SAML/Brokering)->Proxy (Shibboleth)->Federated IdP:s

The response from the SAML Proxy contains this for examnple:

    <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        <saml2:AuthenticatingAuthority>https://samltest.id/saml/idp</saml2:AuthenticatingAuthority>
    </saml2:AuthnContext>

So, is it possible to get hold of this or if anyone have a different idea that gives me the same thing.

Thanks,

Tomas

Did you try session note?

Thanks for the suggestion, but that was my first thought as well. But I have only found the two attributes identity_provider and identity_provider_identity mentioned in sessions notes (maybe there are more?). The identity_provider only contains the brokers id, not the entityid of the upstream IdP. Or maybe I can get the proxy to provide it as an attribute as well as in the AuthnContext, as a workaround … but then I still cannot provide it in the session note, only as a user attribute based on a mapper.