9:20 a.m.
Hi Team,
We have integrated SAP HANA system as a Service Provider with the Keycloak
2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
needs to be imported at Service Provider end.
But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
end, SingleSignOnService Location is getting saved with addition of 443
port number in the Destination URL. For example, If Keycloak is providing
IDP SingleSignOnService Location as "
https://test.example.com/auth/realms/zzz/protocol/saml";, Service Provider
is saving it as "https://test.example.com:443/auth/realms/zzz/protocol/saml
".
Once Service Provider is making a AuthnRequest Call to Keycloak, it is
sending Destination URL as "
https://test.example.com:443/auth/realms/zzz/protocol/saml" as part of
AuthnRequest. As the destination URL contains ":443" extra, Keycloak is
refusing to accept it and throws "error=invalid_authn_request,
reason=invalid_destination" error.
Looks like Keycloak is very strict about destination URL matching which is
sent from SP as part of AuthnRequest. Do we have any option in Keycloak
which will accept the Destination URL with port number in AuthnRequest or
is there any work around to handle this?
Please let me know for any other information regarding this.
--
*With Regards, Jyoti Kumar Singh*
5:29 a.m.
Hi Team,
Is there any suggestion for me to look upon regarding the keycloak
invalid_authn_request error for SAML client ?
On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
assassin.creed60(a)gmail.com> wrote:
Hi Team,
We have integrated SAP HANA system as a Service Provider with the Keycloak
2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
needs to be imported at Service Provider end.
But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
end, SingleSignOnService Location is getting saved with addition of 443
port number in the Destination URL. For example, If Keycloak is providing
IDP SingleSignOnService Location as "https://test.example.com/
auth/realms/zzz/protocol/saml", Service Provider is saving it as "
https://test.example.com:443/auth/realms/zzz/protocol/saml";.
Once Service Provider is making a AuthnRequest Call to Keycloak, it is
sending Destination URL as "https://test.example.com:443/
auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
destination URL contains ":443" extra, Keycloak is refusing to accept it
and throws "error=invalid_authn_request, reason=invalid_destination" error.
Looks like Keycloak is very strict about destination URL matching which is
sent from SP as part of AuthnRequest. Do we have any option in Keycloak
which will accept the Destination URL with port number in AuthnRequest or
is there any work around to handle this?
Please let me know for any other information regarding this.
--
*With Regards, Jyoti Kumar Singh*
--
*With Regards, Jyoti Kumar Singh*
3:29 p.m.
Hi,
We are also facing similar issue in our infrastructure setup with SAP HANA
as a Service provider.
Did you get any work around on this..?
Cheers
-Abhishek
On Tue, Apr 25, 2017 at 8:59 AM, Jyoti Kumar Singh <
assassin.creed60(a)gmail.com> wrote:
Hi Team,
Is there any suggestion for me to look upon regarding the keycloak
invalid_authn_request error for SAML client ?
On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
assassin.creed60(a)gmail.com> wrote:
> Hi Team,
>
> We have integrated SAP HANA system as a Service Provider with the
Keycloak
> 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> needs to be imported at Service Provider end.
>
> But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
> end, SingleSignOnService Location is getting saved with addition of 443
> port number in the Destination URL. For example, If Keycloak is providing
> IDP SingleSignOnService Location as "https://test.example.com/
> auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> https://test.example.com:443/auth/realms/zzz/protocol/saml";.
>
> Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> sending Destination URL as "https://test.example.com:443/
> auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> destination URL contains ":443" extra, Keycloak is refusing to accept it
> and throws "error=invalid_authn_request, reason=invalid_destination"
error.
>
> Looks like Keycloak is very strict about destination URL matching which
is
> sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> which will accept the Destination URL with port number in AuthnRequest or
> is there any work around to handle this?
>
> Please let me know for any other information regarding this.
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
>
--
*With Regards, Jyoti Kumar Singh*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:15 p.m.
See https://issues.jboss.org/browse/KEYCLOAK-4813 and I would also like to
solicit any thoughts on a workaround.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of abhishek raghav
Sent: Tuesday, April 25, 2017 9:30 AM
To: Jyoti Kumar Singh <assassin.creed60(a)gmail.com>; keycloak-user
<keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak is throwing invalid_authn_request
error for SAML Client
Hi,
We are also facing similar issue in our infrastructure setup with SAP HANA
as a Service provider.
Did you get any work around on this..?
Cheers
-Abhishek
On Tue, Apr 25, 2017 at 8:59 AM, Jyoti Kumar Singh <
assassin.creed60(a)gmail.com> wrote:
Hi Team,
Is there any suggestion for me to look upon regarding the keycloak
invalid_authn_request error for SAML client ?
On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
assassin.creed60(a)gmail.com> wrote:
> Hi Team,
>
> We have integrated SAP HANA system as a Service Provider with the
Keycloak
> 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> needs to be imported at Service Provider end.
>
> But while saving the "SAML Metadata IDPSSODescriptor" at Service
Provider
> end, SingleSignOnService Location is getting saved with addition
of 443
> port number in the Destination URL. For example, If Keycloak is
providing
> IDP SingleSignOnService Location as
"https://test.example.com/
> auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> https://test.example.com:443/auth/realms/zzz/protocol/saml";.
>
> Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> sending Destination URL as "https://test.example.com:443/
> auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> destination URL contains ":443" extra, Keycloak is refusing to accept it
> and throws "error=invalid_authn_request, reason=invalid_destination"
error.
>
> Looks like Keycloak is very strict about destination URL matching which
is
> sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> which will accept the Destination URL with port number in AuthnRequest
or
> is there any work around to handle this?
>
> Please let me know for any other information regarding this.
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
>
--
*With Regards, Jyoti Kumar Singh*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2807
days inactive
2812
days old
3 comments
3 participants
participants (3)
-
abhishek raghav -
Jyoti Kumar Singh -
Peter K. Boucher