Re: [keycloak-user] Keycloak is throwing invalid_authn_request error for SAML Client

Hi Team, We have integrated SAP HANA system as a Service Provider with the Keycloak 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which needs to be imported at Service Provider end. But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider end, SingleSignOnService Location is getting saved with addition of 443 port number in the Destination URL. For example, If Keycloak is providing IDP SingleSignOnService Location as "https://test.example.com/ auth/realms/zzz/protocol/saml", Service Provider is saving it as " https://test.example.com:443/auth/realms/zzz/protocol/saml";. Once Service Provider is making a AuthnRequest Call to Keycloak, it is sending Destination URL as "https://test.example.com:443/ auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the destination URL contains ":443" extra, Keycloak is refusing to accept it and throws "error=invalid_authn_request, reason=invalid_destination" error. Looks like Keycloak is very strict about destination URL matching which is sent from SP as part of AuthnRequest. Do we have any option in Keycloak which will accept the Destination URL with port number in AuthnRequest or is there any work around to handle this? Please let me know for any other information regarding this. -- *With Regards, Jyoti Kumar Singh*