[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding

John Dennis jdennis at redhat.com
Thu Apr 14 20:55:56 EDT 2016


I could use some help from your SAML developers because I'm seeing what 
appears to be incorrect behavior.

During testing with keycloak-1.9.0.Final a SAML AuthnRequest is sent 
using the HTTP-Redirect binding. The AuthnRequest specifies a 
AssertionConsumerServiceURL for the SP which has the HTTP-POST binding. 
When Keycloak responds with the Assertion in the SAMLResponse it 
incorrectly uses the HTTP-Redirect binding instead of the HTTP-POST 
binding (specified in both the AuthnRequest and the SP metadata). This 
causes a failure because the endpoint for the SP's 
AssertionConsumerServiceURL only expects HTTP-POST, the resulting error 
is an invalid HTTP method failure.

I also noticed that when I used the Web UI to examine the SP metadata 
(Installation tab of the realm client, selecting the "SAML Metadata 
SPSSODescriptor" format) that it did not match the SP metadata that had 
been loaded using the client registration service. Not only wasn't it 
the exact same metadata, but specifically it was missing several of the 
endpoints the SP declared in it's metadata. Why isn't the metadata the 
same and why did Keycloak drop essential endpoint/binding information?

Thanks,

-- 
John


More information about the keycloak-dev mailing list