Analysis
Summary
RFC 9565 introduce SAML SASL mechanism, where SASL server needs to wait and receive information (authentication-statement) from IdP. But this information is send from IdP out of SASL, by direct HTTP call to server. There is needed some connection between HTTP server and SASL serve for this purpose.
Requirements
- SAML SASL server need to receive information from IdP over independent HTTP call (and should wait for it passively)
General
Tracking Issues
Developer Resources
RFC 6595 - A SASL and GSS-API Mechanism for the SAML
KeycloakHttpServerAuthenticationMechanism - handle pure HTTP SAML
I suppose we can use SAML messages processing from KeyCloak adapter - this will ensure biggest part of SASL server work (authentication-request generating and authentication-statement validation). On client side there will have to be browser somehow integrated - to start on IdPs login page and to catch redirect out of IdP back to Resource Provider - but we can keep text callbacks for now for simplification.
To wait in SASL server we can use callback which will be handled by ServerAuthenticationContext - the handling will block until authentication-statement arrive.
But how to connect SASL server handling with HTTP request from IdP, which will arrive independently?
There is RelayState parameter - text passed into it by SASL server in authentication-request will be copied into the same parameter of authentication-statement when returning back. This can be used to pair SASL server instances and HTTP requests from SAML IdP together. But how to integrate it? Currently SASL server factories and HTTP are independent.
Developer Contacts
Jan Kalina - jkalina@redhat.com
Comments