Send Attributes of Alternate User In SAML Response?

Hi

I have an interesting use case I’m wondering if anyone could help advise me on :slight_smile:

What I would like to do is during a SAML authentication lookup the attributes of an alternate user, based on some data included it the HTTP request, and include claims based on this alternate user in the SAML response.

I have a scenario where users may have multiple employments within a single organisation, which results in multiple LDAP accounts being provisioned for them, each with different attributes such as department/team info, groups etc. Each account contains an attribute which references the ID of the other account associated with the same individual.

The simplest solution would be to just treat these as separate accounts, with separate credentials, and each time the user wishes to switch context to the other account they have to log out and log back in with the other account credentials.

However, I’m investigating if there is a way for these users to only authenticate against 1 LDAP account (so only need to setup 1 set of credentials), yet be able to select which employee ID they want to act in the context of via an external system and pass that info into the Keycloak request via something like an HTTP header.

Keycloak would then read the value in HTTP header during the SAML authentication and instead of returning claims containing attributes of the user they authenticated as, it would return claims containing attributes of the user specificed in the HTTP header (obviously appropriate validation would need to be included as well to avoid spoofing etc)

Does anyone know whether this is possible? I’m assuming this is likely to need a lot of logic inside a custom AbstractSAMLProtocolMapper class, but not sure if it’s possible to lookup an alternate users details or switch the context to a different user?