Keycloak and SAML authncontext

vbauche · March 26, 2024, 5:05pm

Hi

I’m using a Keycloak 22 and I need to define external SAML Identity providers.
I managed to create an Identity provider in the keycloak console and it works.
Now I want to require a specific authentication context so I use the option “Requested AuthnContext Constraints” in IDP configuration
Now Keycloak send a SAML request with
<samlp:RequestedAuthnContext Comparison=“exact”>
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
This is correct
But the IDP respond with an assertion containing
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>

The authncontext is not the one we requeted so Keycloak should refuse the assertion, but it doesn’t ! Why ?
Is it a bug or am i missing something ?

Is there another way to force an authentication level with SAML in a federation context ?

Thanks !

Topic		Replies	Views
Keycloak External IDP SAML - Assertion Consumer Service Metadata	0	388	January 25, 2021
Keycloak as Identity Broker over SAML without Artefact Binding	0	164	November 4, 2023
Identity broker and SAML artifacts Configuring the server identity-brokering , saml	6	1555	October 8, 2022
Setup a SAML service provider to work with an external Identity Provider Getting advice saml	0	766	October 15, 2020
Keycloak as SP for SAML IDP Configuring the server saml	12	17348	November 14, 2021

Keycloak and SAML authncontext

Related Topics