[keycloak-user] IDPSSODescriptor only has SingleSignOnService for POST binding
John Dennis
jdennis at redhat.com
Mon Mar 25 10:24:38 EDT 2019
On 3/25/19 9:45 AM, Audun Røe wrote:
> Hello,
>
> when obtaining KeyCloak SAML IDP metadata through the admin dashboard
> (Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
> the dropdown) the metadata only contains a SingleSignOnService for
> HTTP-POST binding:
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml" />
>
>
> When instead getting metadata this through the following URL, it also has
> HTTP-Redirect and SOAP endpoints:
> https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
> "/>
>
> Is there a reason for the discrepancy, or is it a bug? It's not really a
> problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
> the former metadata variant failed, while the latter works fine.
Known issue and recently fixed, see
https://issues.jboss.org/browse/KEYCLOAK-8537
There was a very similar issue with SP logout metadata handling
described in this JIRA that was fixed just a day or two ago.
https://issues.jboss.org/browse/KEYCLOAK-8535
--
John Dennis
More information about the keycloak-user
mailing list