[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding

Bill Burke bburke at redhat.com
Sat Apr 16 10:04:03 EDT 2016



On 4/15/2016 10:07 PM, Adam Young wrote:
> On 04/14/2016 08:55 PM, John Dennis wrote:
>> I could use some help from your SAML developers because I'm seeing
>> what appears to be incorrect behavior.
>>
>> During testing with keycloak-1.9.0.Final a SAML AuthnRequest is sent
>> using the HTTP-Redirect binding. The AuthnRequest specifies a
>> AssertionConsumerServiceURL for the SP which has the HTTP-POST
>> binding. When Keycloak responds with the Assertion in the SAMLResponse
>> it incorrectly uses the HTTP-Redirect binding instead of the HTTP-POST
>> binding (specified in both the AuthnRequest and the SP metadata). This
>> causes a failure because the endpoint for the SP's
>> AssertionConsumerServiceURL only expects HTTP-POST, the resulting
>> error is an invalid HTTP method failure.
>>
>> I also noticed that when I used the Web UI to examine the SP metadata
>> (Installation tab of the realm client, selecting the "SAML Metadata
>> SPSSODescriptor" format) that it did not match the SP metadata that
>> had been loaded using the client registration service. Not only wasn't
>> it the exact same metadata, but specifically it was missing several of
>> the endpoints the SP declared in it's metadata. Why isn't the metadata
>> the same and why did Keycloak drop essential endpoint/binding
>> information?
>>
>> Thanks,
>>
> Was that 1.9.0 or 1.9.2?  I thought they said that there were some bugs
> in 1.9.0 that had been fixed in 1.9.2.  Looks like they dropped 1.9.2
> final later on today.

Its not going to store the exact SP metadata file that was imported.  
Keycloak only imports SP metadata that Keycloak.  Also, the admin 
console is allowed to modify this imported metadata however it wants. I 
don't see a problem with this behavior at all.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com



More information about the keycloak-dev mailing list