On 08/03/2018 01:17 PM, Dmitry Telegin wrote:
Hi Max,
Could you please attach that SP metadata file for both configurations? (scrubbing
sensitive data, if any)
Also if you are on a purely testing (non-critical) environment, could you please capture
the whole conversation into a HAR file and share it? (F12 > Network > right click,
"Save as HAR with contents" or like that; don't forget to turn on Preserve
logs)
This might be super helpful to understand what's going on. Also make sure it
doesn't expose anything sensitive.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-08-02 at 14:42 +0100, Max Allan wrote:
> Hi,
> I have a SAML SP that needs both POST and Redirect methods in the
> sp_metadata file. (if redirect is missing then it fails to even startup the
> app)
>
> A bit of fiddling and I noticed the "Force POST Binding" in the client
> config. If I turn if OFF then both POST and Redirect lines appear in the
> installation file. Nice.
>
> However, when the user tries to login, something (Keycloak I'm pretty sure)
> gets things wildly wrong and the browser ends up at the SP's redirect URI
> with the "SAMLRequest=...." in the URL.
>
> The SP doesn't know how to process that (that's for Keycloak). So it fails
> to login.
>
> If I leave "Force POST" ON, then the sp_metadata needs a manual edit to
> include the Redirect method. But at least the user can login.
>
> Can anyone explain what's going on? Why do I need to set it off to generate
> the xml for the SP and then back on to actually work??
I wonder if there is some confusion. The statement "needs the method in
the SP metadata" implies the AssertionConsumerService endpoint, which
have a binding associated with them. But the redirect binding is never
used for receiving assertions because of it's limited size (everything
is encoded in the URL). Typically with WebSSO the redirect is composed
with the post binding. The SP sends the request to the IdP (e.g.
keycloak) using the redirect binding and the IdP responds using post.
I have a SAML SP that needs both POST and Redirect methods in the
sp_metadata file.
This just sounds wrong.
--
John Dennis