[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding
John Dennis
jdennis at redhat.com
Sat Apr 16 10:46:51 EDT 2016
On 04/16/2016 10:01 AM, Bill Burke wrote:
> You can configure keycloak to always send a POST. That is the
> workaround right now.
Pedro said "Force Post Binding" was the default, it does not appear to
be, I had to manually enable "Force Post Binding" after registering the
SAML SP, when I did enable it I got correct behavior.
I wonder if the default value of "Force Post Binding" is somehow
dependent upon how the SP is created in KC, at the moment there are 2
different mechanisms (client registration service vs.
client-description-converter).
At a minimum registering a SAML SP should yield something that works
without needing to fiddle around with non-compliant workarounds. I
suspect this is something that will trip up many admins who already find
SAML difficult and obscure.
Since the only 2 possible AuthnRequest response bindings for WebSSO are
either POST or Artifact and KC does not support Artifact then why
doesn't KC simply do POST?
The point of the discussion was to come to agreement on what KC needs to
do to be a compliant SAML IdP so that it can interoperate with other
SAML implementations.
--
John
More information about the keycloak-dev
mailing list