Are you planning to migrate to current versions of keycloak?
There is already keycloak v 15.0.1, but the current code doesn't suite

The idea is to create a generic mapper capable of creating attributes from a javascript description. These mappers could then be used to create values from any value present in the context. Such a mapper may even be able to call an external API to get such information.

The idea is the following: create a mapper similar to the org.keycloak.protocol.saml.mappers.UserAttributeStatementMapper (or corresponding com.quest.keycloak.protocol.wsfed.mappers.SAMLUserAttributeStatementMapper), however in the transformAttribute evaluate a javascript code to obtain the attribute rather then obtaining it from a user's attributes.

Such a use of javascript in keycloak is already done, for example, for the Authorization module, with the javascript-based policy.

how i can build jar?

git clone [email protected]:cloudtrust/keycloak-wsfed.git
cd keycloak-wsfed
mvn clean install

[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/io/cloudtrust/kc-cloudtrust-module/8.0.1/kc-cloudtrust-module-8.0.1.pom
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for io.cloudtrust:keycloak-wsfed-parent:8.0.1: Could not find artifact io.cloudtrust:kc-cloudtrust-module:pom:8.0.1 in central (https://repo.maven.apache.org/maven2) and 'parent.relativePath' points at wrong local POM @ line 6, column 13
 @
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]
[ERROR]   The project io.cloudtrust:keycloak-wsfed-parent:8.0.1 (/private/tmp/keycloak-wsfed/pom.xml) has 1 error
[ERROR]     Non-resolvable parent POM for io.cloudtrust:keycloak-wsfed-parent:8.0.1: Could not find artifact io.cloudtrust:kc-cloudtrust-module:pom:8.0.1 in central (https://repo.maven.apache.org/maven2) and 'parent.relativePath' points at wrong local POM @ line 6, column 13 -> [Help 2]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
[ERROR] [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException

git clone [email protected]:cloudtrust/cloudtrust-parent.git
cd cloudtrust-parent
mvn clean install

Cloning into 'cloudtrust-parent'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 187 (delta 2), reused 7 (delta 1), pack-reused 175
Receiving objects: 100% (187/187), 52.50 KiB | 590.00 KiB/s, done.
Resolving deltas: 100% (46/46), done.
[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/org/keycloak/keycloak-parent/8.0.1/keycloak-parent-8.0.1.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/keycloak/keycloak-parent/8.0.1/keycloak-parent-8.0.1.pom (75 kB at 85 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/keycloak/testsuite/integration-arquillian-tests/8.0.1/integration-arquillian-tests-8.0.1.pom
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for io.cloudtrust:kc-cloudtrust-testsuite:8.0.1: Could not find artifact org.keycloak.testsuite:integration-arquillian-tests:pom:8.0.1 in central (https://repo.maven.apache.org/maven2) and 'parent.relativePath' points at no local POM @ line 5, column 13
 @
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]
[ERROR]   The project io.cloudtrust:kc-cloudtrust-testsuite:8.0.1 (/private/tmp/cloudtrust-parent/kc-cloudtrust-testsuite/pom.xml) has 1 error
[ERROR]     Non-resolvable parent POM for io.cloudtrust:kc-cloudtrust-testsuite:8.0.1: Could not find artifact org.keycloak.testsuite:integration-arquillian-tests:pom:8.0.1 in central (https://repo.maven.apache.org/maven2) and 'parent.relativePath' points at no local POM @ line 5, column 13 -> [Help 2]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
[ERROR] [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException

Change code to use Keycloak 4.0.0.Final libraries, and make sure that any resulting modifications are corrected.

This change should have a major change on the use of the themes (see #21)

When the WS-Fed module is used in the broker-mode of Keycloak, the signature of the assertion can be checked. When there is a mismatch of the key htat was used for signing and the key that is used to verify the signature, a weird "invalidFederatedIdentityActionMessage" is reported by Keycloak.

Currently, the WS-Fed module has only been tested with sharepoint 2013. It should also be tested at least with sharepoint 2016 and Microsoft's on premise CRM.

The results must be documented and in case of problems, new issues created.

The way Keycloak is chaining the WSFED logout requests when a user is connected to multiple WSFED clients can lead to the user not being disconnected from some of these clients.

Imagine the following scenario:

• a user is connected to 3 WSFED clients
• the user clicks on the logout link in Client1
• Client1 sends wa=signout1.0&wreply=LandingPage to Keycloak
• Keycloak sends (via browser redirect) wa=signoutcleanup1.0&wreply=keycloakurl to Client2
• Client 2 redirects the browser to Keycloak
• Keycloak sends (via browser redirect) wa=signoutcleanup1.0&wreply=keycloakurl to Client3
• Client 3 redirects the browser to Keycloak
• Keycloak redirects the browser to Client1 landing page

This is how things are supposed to work in a frontchannel logout scenario (exactly like for SAML but without the token)
The problem is that a few well known WSFED clients (namely Microsoft Sharepoint and Exchange OWA) won't make use of the wreply parameter when receiving a wa=signoutcleanup1.0 request. Keycloak will never get a chance to trigger a logout request directed at Client2 and Client3.
In the above scenario this means that after clicking the "logout" link in Client1, the user will still have a valid session in Client2 and Client3 and even worse, will have no clue about it.

A solution would be the following scenario:

• a user is connected to 3 WSFED clients
• the user clicks on the logout link in Client1
• Client1 sends wa=signout1.0&wreply=LandingPage to Keycloak
• Keycloak sends a response containing an iFrame pointing to Client2.logoutURL and an autoload form pointing to himself
• Keycloak sends a response containing an iFrame pointing to Client3.logoutURL and an autoload form pointing to himself
• Keycloak redirects the browser to Client1 landing page

This way the logout requests initiated by Keycloak are independent of the client behaviour.
Ideally, upon receiving a wa=signout1.0 request Keycloak could send a single response containing multiple iFrames pointing to the connected clients logout URLs in order to trigger all logouts in the same request (just like ADFS does) but that would require changes at Keycloak level.

I've implemented and tested this successfully with Sharepoint. I can submit a PR with both the current behavior and the iFrame logout as an alternative. Let me know

Currently the authorization module is only tested through unit tests. However, we must define functional tests that guarantee that the functional requirements have been met.

These test must first be written down for human execution, then automated.

Currently, the WS-Fed module does not support the encryption of SAML 2.0 tokens, even though this is supported for SAML clients. We should add this functionality for WS-Fed clients as well.

From the WS-Fed protocol:

All metadata documents SHOULD be verified to ensure that the issuer can speak for the specified endpoint and that the metadata is what the issuer intended

Currently the metadata document provided is not signed. The relevent information on how to sign a metadata document can be found in the Signature property section of the protocol, and the XSDs for the WS-Fed federation metadata and the SAML 2.0 metadata

Keycloak release version 8.0.1 has been released a few days ago. To keep the release schedule of keycloak-wsfed not too far behind the keycloak releases, it would be a good idea to migrate the module to KC 8.0.1. See #40

Currently, there is no documentation on how to setup a WS-Fed client or WS-Fed identity broker from within the GUI.

We must create this documentation, explaining the different fields and options. An example of setup with a sharepoint server should also be described.

Currently, the WS-Fed module has only been tested with SharePoint 2013. It should also be tested at least with exchange 2016-OWA.

I tried to do it for myself, but encountered 440 "Login Timeout" :

Can I get some help? Thanks so much!

Sorry wrong repo

The JWT tokens are currently handled by Keycloak clients, but not by identity brokers.

They should be supported in a similar manner as the SAML 2.0 and SAML 1.1 clients

Hi,

We would like to raise a question about the support for passing a login_hint to Keycloak via the keycloak wsfed implementation.

Let me discuss our setup and what we are trying to achieve.
We have an on premise Microsoft Active Directory Federation Services (ADFS). Some of our identities are stored in Azure B2C. Unfortunately there is no possibility to link ADFS directly with Azure B2C, therefore we have put Keycloak in between. We are aware that Microsoft is working on federating ADFS directly with Azure B2C, but it's still in private preview.

ADFS -> keycloak: keycloak is identity provider for ADFS, ADFS is defined as client on keycloak.
keycloak -> Azure B2C: Azure B2C is identity provider for keycloak.

We have customized the home realm detection on ADFS in order to dispatch the user to the correct identity provider, based upon their username. (e.g. internal employees to our Active Directory, other users to Azure B2C, ...)
In this case we are experiencing an issue impacting the end user experience, because we are unable to pass the username (via login_hint) from the ADFS home realm detection to Azure B2C login page. This causes end users to require entering their username twice. Once on the ADFS signin page (home real detection), and a 2nd time on the Azure B2C login page on which they land after being redirected from the ADFS HRD.

In a previous version of our setup Keycloak was federated with ADFS via SAML-P, but we got indications from Microsoft that it was not possible to pass a login_hint via SAML-P. Via wsfed it's possible to pass the login_hint from ADFS over WS federation.
In recent versions of keycloak it's also possible to pass the login_hint to the identity provider (Azure B2C) defined in Keycloak.

Unfortunately it seems that the login_hint is passed to keycloak but, is not processed. The login_hint is lost at the first wsfed request on keycloak.

Any advise on this topic?

• Request on ADFS containing login_hint
  

• 1st request on keycloak containing login_hint... but in subsequent requests the login_hint is lost
  

i don't believe this extension supports WS-Trust as well, does it?
I am seriously planning to use this extension for what it provides, Any idea what would be the effort to implement it in this extension itself?

Currently when logging out from a WS-Resource, keycloak will redirect directly to the client and add no wa parameter. However, from the specification in the appendix C.9, upon logout keycloak should send the wa=wsignoutcleanup1.0 parameter. However, as we cannot garenty will support this message, this should be optional

The WS-Fed module is currently functional, but no tests exist to ensure that the code is secure. The Section 16 of the Ws-Fed protocol describes the security considerations for the protocol.

The keycloak-wsfed code must be reviewed to ensure that those security concerns are met. In addition, other security concerns are raised throughout the document. These must also be considered and verified against the existing code.

All security considerations should also, if applicable, be formulated in forms of tests that can be unit or functionally tested.

Title says it all

Currently, the WS-Fed module uses the realm key for Signing SAML tokens. However, in a paper that presents a proof for WS-Fed being secure, one of the requirements is that the key used to sign WS-Fed messages is not used to sign messages from other protocols. To follow this recommendation, we should add an option to use a key specifically used by the client.

When the option is activated, it should generate a private-public key pair for the client (as in the SAML client), but keep the private key inaccessible (as for the realm key). It should have the option to regenerate a new private-public key pair, and to import a private-public key pair. Deactivating the option must not erase the key, just revert to using the realm key.

Sorry, we don't have a CI which publishes our components to a public repository. We only >have them in a private one.
Note that we are planning to migrate to Keycloak 10.x soon (and the 11.x when it will be >available)

Originally posted by @fperot74 in #43 (comment)

What is the status of this migration, any planned release date?

Hi!

When a WSFed client sends a signout request to keycloak and the user is connected to multiple WSFed clients, keycloak will send a backchannel logout request to all other connected clients. After reading the code, the URL used to perform the backchannel logout is the first URL found in the "Valid Redirect URIs" setting of the client. This is a bad idea because the order of the values in the "Valid Redirect URIs" list cannot be chosen/forced.

Is it possible to store the backchannel logout URL in a dedicated field or use an existing field like "Admin URL" ?
If not possible it should at least be mentioned in the "Valid Redirect URIs" tooltip that the first value of the list will also be used for backchannel logout purpose

Thanks
Regards

--
Joaquim

Currently, the WS-Fed module has only been tested with sharepoint 2013. It should also be tested at least with exchange 2013-OWA .

I tried to do it for myself , but encountered 440 "Login Timeout" :

ModuleName
ADFSFederationAuthModule
Notification
AUTHENTICATE_REQUEST
HttpStatus
440
HttpReason
Login Timeout
HttpSubStatus
0
ErrorCode
The operation completed successfully.
(0x0)
ConfigExceptionInfo

Can I get some help ? Thanks so much !

Change code to use Keycloak 3.4.2.Final libraries, and make sure that any resulting modifications are corrected.

Hi,

We wanted to check if the latest version of this plugin is support on Keycloak 7.0.1?

A 2005 study formally proves that WS-Fed is secure under certain conditions. One of the important conditions of that proof relies on the fact that the communication between the user and the WS Ressource is done over a secure channel. Currently, this can certainly be done, but should we ensure this by making the use of non-secure channels impossible (error message and refusal to save), or at least warn the user that without the secure channel the IDP and client are vulnerable?

Hi,
I have been finally able to work on integrating WS-Fed/SAML 1.1 related changes from my repo. One change I've been struggling to bring over are changes to the partials\client-detail.html and js\clients.js. I've made changes to these files to customize the appearance of the client settings page to expose WS-Fed related controls to the user, but the changes are not getting loaded. Before stepping through the code to figure out what the problem is, I figure I'd ask, perhaps someone had run into the same problem before.
Thanks!

Moving to the Client>Installation page for a WS-Fed Client will result in a clearly broken page with the template exposed instead of having a normal page from which the installation details may be obtained.

A workaround is available, as the necessary information can be obtain with the https://<address:port>/auth/realms/<Realm name>/protocol/<protocol type>/descriptor URL.

This should however be corrected so that the information can be obtained as for clients of the other protocols.

Hi Guys,

I set up my keycloak with wsfed and it seems to be working.
Although every time I restart keycloak and re-import the realm I will end-up with a different x509 cert for my wsfed clients.

Is there any way to import the x509 certificate for wsfed with the realm import? I realized it is not client specific as every client will have the same x509 certification in the installation tab.

Thanks

The in-code documentation is currently lacking. All classes should have a javadoc explaining what the class does, and what the method does. As keycloak code isn't well commented (to say the least), this module's javadoc should go a bit further than necessary to also somewhat explain the underlying keycloak classes being used.

The WS-Fed module is currently functional, but no tests exist to ensure that the code is secure. There have been known exploits against the WS-Fed protocol for which the implementation was incorrect.

A set of tests should be written and then translated into automatic tests (unit, functional), to be run against the keycloak-wsfed implementation.

Would be great to see this extension listed on the keycloak.org extensions page. To do that simply send a PR to https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions. You can find a template for the required json file here https://github.com/keycloak/keycloak-web/blob/master/src/main/resources/extension-template.json.

Currently modifications to the GUI uses the keycloak theme method. However, this might be unnecessary, by directly overwriting the keycloak theme, which could lead to a simpler deployment. This should be looked into and, might be a target for migration to keycloak 4, as the use of themes changes.

Currently the WS-Fed code is tested with Mockito for all data that would be coming from keycloak or the database. However, in the Keycloak project they use Arquillian to test their protocol functionalities. In order to bring our testing procedures closer to theirs, we should also use Arquillian.

The current tests should thus be replaced with tests showing the same functionalities, but using a "real" keycloak instance through Arquillian, rather than using mocks.

Sorry for this probably dumb question, but I'm not able to build the module using Maven. I tried to use:
mvn clean install -DskipTests -U

The problem is that Maven can not find the parent artifact of the pom:

    <parent>
        <groupId>org.keycloak.testsuite</groupId>
        <artifactId>integration-arquillian-tests</artifactId>
        <version>6.0.1</version>
    </parent>

I have configured the jboss-ga-repository, jboss-ga-plugin-repository, jboss-earlyaccess-repository, and jboss-earlyaccess-plugin-repository Maven repositories in my settings.xml. None of these repos contains that pom. I also searched the web for any other repo, but didn't find any repo containing that parent artifact.

How can I build your module? Maybe adding the description to the README would be good for others, too.

This can be tested with the following setup:

Client (WS-Fed)<---> Keycloak (Identity broker, WS-Fed) <---> Keycloak (Exernal IDP, WS-Fed)

With all elements set up correctly for Single Sign-on and logout, we can have a NullPointerException. The user is signed out of the external IDP, but neither from the identity broker nor its clients.

The cause of the NullPointerException must be verified and handled. The expected behaviour is that the user is signed out from the IDP and all of its clients.

The case should be tested with all combinations of Backchannel Logout and Handle Empty Action as wsignoutcleanup1.0 set to on/off.

I have problem running the current code as a module (at least not as easily as other example/small modules).

As it is within keycloak 2.5.5 Final

./bin/jboss-cli.sh --command="module add --name=com.quest.keycloak-wsfed --resources=./keycloak-wsfed-2.5.5.Final.jar --dependencies=org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-saml-core,org.keycloak.keycloak-services,org.picketlink.picketlink-federation,org.picketlink.picketlink-common,org.apache.commons.commons-lang3,org.jboss.resteasy.resteasy-jaxrs"

Adding the registration line to standalone.xml

<providers>
    <provider>module:com.quest.keycloak-wsfed</provider>
</providers>

Get this error

10:14:15,379 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 48) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:748)
	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
	at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
	at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
	at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
	at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
	at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
	at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
	at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
	at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
	at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
	at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
	... 6 more
Caused by: java.lang.RuntimeException: org.jboss.modules.ModuleNotFoundException: com.quest.keycloak-wsfed:main
	at org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:44)
	at org.keycloak.provider.ProviderManager.<init>(ProviderManager.java:59)
	at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:74)
	at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:313)
	at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:110)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
	... 19 more
Caused by: org.jboss.modules.ModuleNotFoundException: com.quest.keycloak-wsfed:main
	at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:223)
	at org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:40)
	... 28 more

I've also tried by moving dependencies to 3.1.0.Final & fixing what was crashing at the compile time then

./bin/jboss-cli.sh --command="module add --name=com.quest.keycloak-wsfed --resources=./keycloak-wsfed-3.1.0.Final.jar --dependencies=org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-saml-core,org.keycloak.keycloak-services,org.picketlink.picketlink-federation,org.picketlink.picketlink-common,org.apache.commons.commons-lang3,org.jboss.resteasy.resteasy-jaxrs"

But I end with exactly the same error.

Scenario: we have an user that is logged in to several service providers (SPs).
We perform the logout on one SP. We would expect to see that Keycloak notifies the other SPs and performs the Single Sign-Out.
It looks like the logout is performed only on the SP where this operation was triggered.

I'm taking a shot in the dark here:
There is no such thing as "backchannel logout" in WSFED.
There simply can't be. Keycloak has zero knowledge of a client side session id and even if it had, the WSFED specs proposes no method to pass such an id to the client along with the wa=signoutcleanup1.0 request.
The only way to achieve a Keycloak initiated logout with a WSFED connected client is for Keycloak to ask the browser for a redirect. The browser will then send the logout request along with a client session cookie, enabling the client to close the session associated with the cookie.

Again, this is my understanding of the current implementation of the backchannel logout in keycloak-wsfed. I'd gladly hear anyone explain to me how things are supposed to work.

For the reference, here's the current keycloak wsfed code handling the backchannel logout in WSFedLoginProtocol.java:

URIBuilder builder = new URIBuilder(logoutUrl)
        .addParameter(WSFedConstants.WSFED_ACTION, WSFedConstants.WSFED_SIGNOUT_CLEANUP_ACTION)
        .addParameter(WSFedConstants.WSFED_REALM, client.getClientId());
HttpGet get = new HttpGet(builder.build());
HttpResponse response = httpClient.execute(get);

As you can see, no data related to the logged in user or to the client side session is passed along with the request.

The module has been updated to 4.8.3.Final, but client scopes have been changed a lot since keycloak 3.4.3.Final, and are now not fully supported. This must be changed before a release can be done for the module.

Where can we download jars for the new releases? Release page only have until version 3.4.3.
If we can not download, is there any build instructions to build the latest jars?

The getFirstName and getLastName methods are TODO in the SAML2RequestedToken, as is the getSessionIndex method in both classes.

Hi,

I just installing Keycloak 22.0.3 on Ubuntu 22.04 with OpenJDK 19 and Maven 3.9, and try to configure it with this extension. It seems this extension can't be build anymore. May I know, do you have any intention to upgrade this extension to support newer version of Keycloak?

Thank you.

The broker side of the code was tested with the following setup:

browser (requestor) <--> sharepoint (resource)<--> keycloak as identity broker <--> keycloak as IDP

This is actually a setup in the same pattern as in section 13.3 of the WS-Fed specification, which has the advantage of having expected messages to be described in appendix B of the same specification, allowing to compare what was going on.

However, I wasn't able to make the full example work. Going back to the section section 13.3 of the specification, at step 8 I'm getting a 302 instead of an POST (form) or an error page while using the "browser" first flow, and a nullpointer when using first broker login flow.