[keycloak-user] Using OneLogin php-saml library with keycloak

Bill Burke bburke at redhat.com
Fri Jun 5 02:51:03 EDT 2015

How is the relay state transfered?  POST or Redirect GET?  How is it 

On 6/5/2015 2:43 AM, pubudu gunawardena wrote:
> Quoting from section "3.1.1 Use of RelayState" in the spec
> (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),
> "Namely, if a SAML request message is accompanied by RelayState data,
> then the SAML responder MUST return its SAML protocol response using a
> binding that also supports a RelayState mechanism, and it MUST place
> the exact RelayState data it received with the request into the
> corresponding RelayState parameter in the response."
> which is not the case if keycloak is removing the forward slashes from
> the RelayState. So I think there should be a mechanism to escape the
> RelayState data and yet return the data to the Service Provider
> unmodified.
> On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>> After debugging found a possible cause for this. In line 305 of
>> SAML2BindingBuilder2 there is code as following
>> escapeAttribute(relayState)
>> which removes the forward slashes from the url. So I guess this is a bug?
>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>> Hi All,
>>> I am trying to use the OneLogin php-saml library[1] as a service
>>> provider that uses keycloak as a SAML identity provider. The
>>> "RelayState" parameter is sent properly form the SP to the IDP but in
>>> the response, the forward slashes are missing from the RelayState.
>>> For example in the post parameters of the authentication request, the
>>> RelayState shows "http://phpsaml/demo1/" but in the response from
>>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>> How can I overcome this problem?
>>> [1]https://github.com/onelogin/php-saml
>>> --
>>> Thanks,
>>> Pubudu
>> --
>> Thanks,
>> Pubudu

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list