[keycloak-user] Using OneLogin php-saml library with keycloak

pubudu gunawardena pubudupg at gmail.com
Fri Jun 5 02:55:52 EDT 2015

The relay state is transferred to keycloak in an HTTP GET. It seems to
be urlencoded by the library that I'm using. The parameter looks like

On Fri, Jun 5, 2015 at 12:21 PM, Bill Burke <bburke at redhat.com> wrote:
> How is the relay state transfered?  POST or Redirect GET?  How is it
> encoded?
> On 6/5/2015 2:43 AM, pubudu gunawardena wrote:
>> Quoting from section "3.1.1 Use of RelayState" in the spec
>> (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),
>> "Namely, if a SAML request message is accompanied by RelayState data,
>> then the SAML responder MUST return its SAML protocol response using a
>> binding that also supports a RelayState mechanism, and it MUST place
>> the exact RelayState data it received with the request into the
>> corresponding RelayState parameter in the response."
>> which is not the case if keycloak is removing the forward slashes from
>> the RelayState. So I think there should be a mechanism to escape the
>> RelayState data and yet return the data to the Service Provider
>> unmodified.
>> On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>> After debugging found a possible cause for this. In line 305 of
>>> SAML2BindingBuilder2 there is code as following
>>> escapeAttribute(relayState)
>>> which removes the forward slashes from the url. So I guess this is a bug?
>>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>>> Hi All,
>>>> I am trying to use the OneLogin php-saml library[1] as a service
>>>> provider that uses keycloak as a SAML identity provider. The
>>>> "RelayState" parameter is sent properly form the SP to the IDP but in
>>>> the response, the forward slashes are missing from the RelayState.
>>>> For example in the post parameters of the authentication request, the
>>>> RelayState shows "http://phpsaml/demo1/" but in the response from
>>>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>>>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>>> How can I overcome this problem?
>>>> [1]https://github.com/onelogin/php-saml
>>>> --
>>>> Thanks,
>>>> Pubudu
>>> --
>>> Thanks,
>>> Pubudu
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list