Getting hold of the AuthenticatingAuthority


is there a way to get hold of the AuthenticatingAuthority in the AuthnContext from a SAML Assert via a mapper or similar? I need it to know which IdP was used for logging in when later wanting to sign a document using the same IdP. I am using a federated set of IdP, which is handled outside Keycloak since it only has brokering.

Current setup is:

Client->(Prot OIDC)->Keycloak (16/17)->(Prot SAML/Brokering)->Proxy (Shibboleth)->Federated IdP:s

The response from the SAML Proxy contains this for examnple:


So, is it possible to get hold of this or if anyone have a different idea that gives me the same thing.



Did you try session note?

Thanks for the suggestion, but that was my first thought as well. But I have only found the two attributes identity_provider and identity_provider_identity mentioned in sessions notes (maybe there are more?). The identity_provider only contains the brokers id, not the entityid of the upstream IdP. Or maybe I can get the proxy to provide it as an attribute as well as in the AuthnContext, as a workaround … but then I still cannot provide it in the session note, only as a user attribute based on a mapper.