[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding
Bill Burke
bburke at redhat.com
Sat Apr 16 10:01:08 EDT 2016
On 4/15/2016 11:58 PM, John Dennis wrote:
> On 04/15/2016 06:55 PM, Pedro Igor Silva wrote:
>> What I tried to say is that ACSI and ProtocolBinding are mutually
>> exclusive. And usually, ProtocolBinding is used with ACSURL.
>
>> And that is why we always recommend POST (and also because the
>> assertion is not exposed) and the usage of that "Force Post Binding".
>> Which is enabled by default ...
>
>>> 1) Since nothing was specified use a default (HTTP-Post). The spec
>>> seems to be silent on what the default should be but HTTP-Post
>>> seems like the best choice.
>>
>> See above. We do that. And, AFAIK, we don't support Artifact.
>
>> Considering that we don't support Artifact. We would always choose
>> POST.
>
>
>> The ACSURL is always checked against the valid URLs you specified in
>> your client configuration.
>
>> We already choose the ACSURL based on the client configuration.
>
>> I think the point is, can you live with ProtocolBinding and ACSURL ?
>> Or do you really need full spec support (ACSI, etc) at this regard ?
>
> It's not a question if I can live with ProtcolBinding and ACSURL, I
> have no control over what an SP sends. If a SP sends only an ACSURL
> Keycloak needs to perform a POST with the AuthnResponse. You've said
> multiple times above that Keycloak will do a POST with the
> AuthnResponse but that's not what Keycloak is doing, instead it's
> causing a GET on the ACSURL using the HTTP-Redirect binding. So we
> need to figure out why Keycloak is not behaving as you believe it
> should be.
>
You can configure keycloak to always send a POST. That is the
workaround right now.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list