[keycloak-dev] Full implementation of SAML artifact-binding for [JIRA KEYCLOAK-831]

Doswald Alistair alistair.doswald at elca.ch
Wed Nov 7 04:48:00 EST 2018 

Hello,

The SAML client page has three new options for artifact binding: a slider to force artifact binding (for example if the client doesn't specify HTTP-Artifact in its authnrequest, but we still want artifact binding fort that client), and two new fields in the Fine-grained SAML endpoint configuration: "Artifact binding URL" (for sending the artifact message) and "Artifact Resolution Service" (for sending an ArtifactResolve message). 

Import will read the "ArtifactResolutionService" and "AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" and fill the two fields in the Fine-grained SAML endpoint configuration correctly.

For the metadata however, I see the problem. I have all the artifact-related metadata correctly at http://<host>:<port>/auth/realms/<realm>/protocol/saml/descriptor, but not in any of the formats on the installation page. At first I thought that it was just a problem on my part, but in fact only the POST endpoints are displayed in the "installation" metadata: Redirect and SOAP endpoints that are at http://<host>:<port>/auth/realms/<realm>/protocol/saml/descriptor are not in the "installation" metadata (any variant). Is this a more general bug? I am currently building from master.

Are there any other metadata sources aside from those two of which I am unaware? I'm not very familiar with the admin REST API, but looking at the overview  in the documentation, I didn't find any other obvious way to get SAML metadata.

Best regards,

Alistair

-----Original Message-----
From: John Dennis <jdennis at redhat.com> 
Sent: mardi 6 novembre 2018 14:54
To: Doswald Alistair <alistair.doswald at elca.ch>; keycloak-dev <keycloak-dev at lists.jboss.org>; Hynek Mlnarik <hmlnarik at redhat.com>
Subject: Re: [keycloak-dev] Full implementation of SAML artifact-binding for [JIRA KEYCLOAK-831]

On 11/6/18 6:59 AM, Doswald Alistair wrote:
> Hello,
> 
> A couple of weeks ago I submitted a partial implementation of artifact-binding (only AuthnRequests were handled) as a pull request, mostly to have some code review before I proceeded  (though I didn't get any feedback).
> 
> Now I have fully implemented the artifact binding part of SAML. How should I proceed:

I can't comment on handling the pull request but I do want to make sure the "fully implemented" includes both generating and consuming SAML metadata with the newly introduced artifact bindings as well as the ability to specify the artifact binding in the SAML client page of the realm (probably under fine grained SAML endpoints). I believe there are multiple independent code locations that generate metadata (e.g. admin rest API vs. client installation tab in the admin console) so we'll want to make sure all code locations are updated. Historically we've had problems getting consistent metadata.


--
John Dennis

More information about the keycloak-dev mailing list