[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding
Adam Young
ayoung at redhat.com
Fri Apr 15 22:07:34 EDT 2016
On 04/14/2016 08:55 PM, John Dennis wrote:
> I could use some help from your SAML developers because I'm seeing
> what appears to be incorrect behavior.
>
> During testing with keycloak-1.9.0.Final a SAML AuthnRequest is sent
> using the HTTP-Redirect binding. The AuthnRequest specifies a
> AssertionConsumerServiceURL for the SP which has the HTTP-POST
> binding. When Keycloak responds with the Assertion in the SAMLResponse
> it incorrectly uses the HTTP-Redirect binding instead of the HTTP-POST
> binding (specified in both the AuthnRequest and the SP metadata). This
> causes a failure because the endpoint for the SP's
> AssertionConsumerServiceURL only expects HTTP-POST, the resulting
> error is an invalid HTTP method failure.
>
> I also noticed that when I used the Web UI to examine the SP metadata
> (Installation tab of the realm client, selecting the "SAML Metadata
> SPSSODescriptor" format) that it did not match the SP metadata that
> had been loaded using the client registration service. Not only wasn't
> it the exact same metadata, but specifically it was missing several of
> the endpoints the SP declared in it's metadata. Why isn't the metadata
> the same and why did Keycloak drop essential endpoint/binding
> information?
>
> Thanks,
>
Was that 1.9.0 or 1.9.2? I thought they said that there were some bugs
in 1.9.0 that had been fixed in 1.9.2. Looks like they dropped 1.9.2
final later on today.
More information about the keycloak-dev
mailing list