[keycloak-user] Using OneLogin php-saml library with keycloak

pubudu gunawardena pubudupg at gmail.com
Fri Jun 5 02:43:44 EDT 2015

Quoting from section "3.1.1 Use of RelayState" in the spec

"Namely, if a SAML request message is accompanied by RelayState data,
then the SAML responder MUST return its SAML protocol response using a
binding that also supports a RelayState mechanism, and it MUST place
the exact RelayState data it received with the request into the
corresponding RelayState parameter in the response."

which is not the case if keycloak is removing the forward slashes from
the RelayState. So I think there should be a mechanism to escape the
RelayState data and yet return the data to the Service Provider

On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
> After debugging found a possible cause for this. In line 305 of
> SAML2BindingBuilder2 there is code as following
> escapeAttribute(relayState)
> which removes the forward slashes from the url. So I guess this is a bug?
> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>> Hi All,
>> I am trying to use the OneLogin php-saml library[1] as a service
>> provider that uses keycloak as a SAML identity provider. The
>> "RelayState" parameter is sent properly form the SP to the IDP but in
>> the response, the forward slashes are missing from the RelayState.
>> For example in the post parameters of the authentication request, the
>> RelayState shows "http://phpsaml/demo1/" but in the response from
>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>> How can I overcome this problem?
>> [1]https://github.com/onelogin/php-saml
>> --
>> Thanks,
>> Pubudu
> --
> Thanks,
> Pubudu


More information about the keycloak-user mailing list