[keycloak-user] SAML Identity broker audience restriction condition checking

Friday, 13 September 2019

A couple of questions:

  1.  Is there a way to disable the audience restriction checking in SAML identity
brokering?

We have a use case where we have a SAML IdP that is able to accept requests from multiple
URLs and we are trying to use it to federate access to several SPs backed by different
Keycloak instances. Unfortunately the IdP is not able to change the AudienceRestriction
attribute dynamically. If there is a way to disable the check in Keycloak that will
unblock us.

  1.  Somewhat related, can a Keycloak SP process an assertion with an audience
restriction that has multiple values?
The problem at https://access.redhat.com/solutions/4177341 (can’t see the solution) seems
to imply that there is an issue.
Would test it myself but do not have a convenient way to set this up.

Thanks,
-Georgi

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] SAML Identity broker audience restriction condition checking