[keycloak-user] IDPSSODescriptor only has SingleSignOnService for POST binding
Audun Røe
audunroe at gmail.com
Mon Mar 25 09:45:31 EDT 2019
Hello,
when obtaining KeyCloak SAML IDP metadata through the admin dashboard
(Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
the dropdown) the metadata only contains a SingleSignOnService for
HTTP-POST binding:
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml" />
When instead getting metadata this through the following URL, it also has
HTTP-Redirect and SOAP endpoints:
https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
"/>
Is there a reason for the discrepancy, or is it a bug? It's not really a
problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
the former metadata variant failed, while the latter works fine.
Regards,
Audun
More information about the keycloak-user
mailing list