[keycloak-user] Force POST setting in SAML??

John Dennis jdennis at redhat.com
Fri Aug 3 14:26:58 EDT 2018


On 08/03/2018 01:17 PM, Dmitry Telegin wrote:
> Hi Max,
> 
> Could you please attach that SP metadata file for both configurations? (scrubbing sensitive data, if any)
> 
> Also if you are on a purely testing (non-critical) environment, could you please capture the whole conversation into a HAR file and share it? (F12 > Network > right click, "Save as HAR with contents" or like that; don't forget to turn on Preserve logs)
> This might be super helpful to understand what's going on. Also make sure it doesn't expose anything sensitive.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Thu, 2018-08-02 at 14:42 +0100, Max Allan wrote:
>>   Hi,
>> I have a SAML SP that needs both POST and Redirect methods in the
>> sp_metadata file. (if redirect is missing then it fails to even startup the
>> app)
>>
>> A bit of fiddling and I noticed the "Force POST Binding" in the client
>> config. If I turn if OFF then both POST and Redirect lines appear in the
>> installation file. Nice.
>>
>> However, when the user tries to login, something (Keycloak I'm pretty sure)
>> gets things wildly wrong and the browser ends up at the SP's redirect URI
>> with the "SAMLRequest=...." in the URL.
>>
>> The SP doesn't know how to process that (that's for Keycloak). So it fails
>> to login.
>>
>> If I leave "Force POST" ON, then the sp_metadata needs a manual edit to
>> include the Redirect method. But at least the user can login.
>>
>> Can anyone explain what's going on? Why do I need to set it off to generate
>> the xml for the SP and then back on to actually work??

I wonder if there is some confusion. The statement "needs the method in 
the SP metadata" implies the AssertionConsumerService endpoint, which 
have a binding associated with them. But the redirect binding is never 
used for receiving assertions because of it's limited size (everything 
is encoded in the URL). Typically with WebSSO the redirect is composed 
with the post binding. The SP sends the request to the IdP (e.g. 
keycloak) using the redirect binding and the IdP responds using post.

> I have a SAML SP that needs both POST and Redirect methods in the
> sp_metadata file.

This just sounds wrong.

-- 
John Dennis


More information about the keycloak-user mailing list