Fix SAML broker serialization failure for EncryptedID attribute values (SamlEncryptedId) #8
Description
When using the extended SAML broker with an IdP that returns an AttributeValue containing saml:EncryptedID, login fails during broker context serialization.
The parser and mapper path already handles this type:
- SAMLAttributeValueParser parses saml:EncryptedID into SamlEncryptedId
- UserAttributeMapper can decrypt it successfully (attribute.decrypt=true)
However, serialization later fails in:
BaseWriter.writeAttributeTypeWithoutRootTag(...)
thrown error: PL00084: Writer: Unsupported Attribute Value:nl.first8.keycloak.dom.saml.v2.assertion.SamlEncryptedId
This happens in the flow:
SAMLDataMarshaller.serialize -> SAMLAssertionWriter -> BaseWriter -> SerializedBrokeredIdentityContext.serialize
Observed behavior
SAML response is accepted
Mapper decrypts ActingSubjectID correctly
Broker flow crashes before authentication completes due to unsupported writer type
Expected behavior
SamlEncryptedId should be serializable as a valid SAML attribute value (or otherwise safely handled), so broker login can complete.
Proposed fix
Reintroduce the following code from git history:
} else if (attributeValue instanceof SamlEncryptedId) {
logger.debug("EncryptedID is not implemented yet.");
Additional context
There appears to have been partial support in earlier history, but it was never completed and later removed (possibly unintentionally). I can prepare a PR restoring the "not implemented yet" logger instead of throwing.