Re: [keycloak-user] Keycloak is throwing invalid_authn_request error for SAML Client

Hi Team, Is there any suggestion for me to look upon regarding the keycloak invalid_authn_request error for SAML client ? On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh < assassin.creed60(a)gmail.com&gt; wrote: > Hi Team, > > We have integrated SAP HANA system as a Service Provider with the Keycloak > 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which > needs to be imported at Service Provider end. > > But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider > end, SingleSignOnService Location is getting saved with addition of 443 > port number in the Destination URL. For example, If Keycloak is providing > IDP SingleSignOnService Location as "https://test.example.com/ > auth/realms/zzz/protocol/saml", Service Provider is saving it as " > https://test.example.com:443/auth/realms/zzz/protocol/saml";. > > Once Service Provider is making a AuthnRequest Call to Keycloak, it is > sending Destination URL as "https://test.example.com:443/ > auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the > destination URL contains ":443" extra, Keycloak is refusing to accept it > and throws "error=invalid_authn_request, reason=invalid_destination" error. > > Looks like Keycloak is very strict about destination URL matching which is > sent from SP as part of AuthnRequest. Do we have any option in Keycloak > which will accept the Destination URL with port number in AuthnRequest or > is there any work around to handle this? > > Please let me know for any other information regarding this. > > -- > > > *With Regards, Jyoti Kumar Singh* > -- *With Regards, Jyoti Kumar Singh* _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user