Re: [keycloak-user] Using OneLogin php-saml library with keycloak

Quoting from section "3.1.1 Use of RelayState" in the spec (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindin...), "Namely, if a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact RelayState data it received with the request into the corresponding RelayState parameter in the response." which is not the case if keycloak is removing the forward slashes from the RelayState. So I think there should be a mechanism to escape the RelayState data and yet return the data to the Service Provider unmodified. On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg(a)gmail.com&gt; wrote: > After debugging found a possible cause for this. In line 305 of > SAML2BindingBuilder2 there is code as following > > escapeAttribute(relayState) > > which removes the forward slashes from the url. So I guess this is a bug? > > On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg(a)gmail.com&gt; wrote: >> Hi All, >> >> I am trying to use the OneLogin php-saml library[1] as a service >> provider that uses keycloak as a SAML identity provider. The >> "RelayState" parameter is sent properly form the SP to the IDP but in >> the response, the forward slashes are missing from the RelayState. >> For example in the post parameters of the authentication request, the >> RelayState shows "http://phpsaml/demo1/" but in the response from >> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml >> library to throw exceptions. I'm using keycloak 1.2.0.Final. >> >> How can I overcome this problem? >> >> >> [1]https://github.com/onelogin/php-saml >> >> -- >> Thanks, >> Pubudu > > > > -- > Thanks, > Pubudu