[keycloak-user] Using OneLogin php-saml library with keycloak
pubudu gunawardena
pubudupg at gmail.com
Fri Jun 5 02:55:52 EDT 2015
The relay state is transferred to keycloak in an HTTP GET. It seems to
be urlencoded by the library that I'm using. The parameter looks like
"RelayState=http%3A%2F%2Fportal-simulator%2Fprotected.php".
On Fri, Jun 5, 2015 at 12:21 PM, Bill Burke <bburke at redhat.com> wrote:
> How is the relay state transfered? POST or Redirect GET? How is it
> encoded?
>
> On 6/5/2015 2:43 AM, pubudu gunawardena wrote:
>> Quoting from section "3.1.1 Use of RelayState" in the spec
>> (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),
>>
>> "Namely, if a SAML request message is accompanied by RelayState data,
>> then the SAML responder MUST return its SAML protocol response using a
>> binding that also supports a RelayState mechanism, and it MUST place
>> the exact RelayState data it received with the request into the
>> corresponding RelayState parameter in the response."
>>
>> which is not the case if keycloak is removing the forward slashes from
>> the RelayState. So I think there should be a mechanism to escape the
>> RelayState data and yet return the data to the Service Provider
>> unmodified.
>>
>> On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>> After debugging found a possible cause for this. In line 305 of
>>> SAML2BindingBuilder2 there is code as following
>>>
>>> escapeAttribute(relayState)
>>>
>>> which removes the forward slashes from the url. So I guess this is a bug?
>>>
>>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>>> Hi All,
>>>>
>>>> I am trying to use the OneLogin php-saml library[1] as a service
>>>> provider that uses keycloak as a SAML identity provider. The
>>>> "RelayState" parameter is sent properly form the SP to the IDP but in
>>>> the response, the forward slashes are missing from the RelayState.
>>>> For example in the post parameters of the authentication request, the
>>>> RelayState shows "http://phpsaml/demo1/" but in the response from
>>>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>>>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>>>
>>>> How can I overcome this problem?
>>>>
>>>>
>>>> [1]https://github.com/onelogin/php-saml
>>>>
>>>> --
>>>> Thanks,
>>>> Pubudu
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Pubudu
>>
>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Thanks,
Pubudu
More information about the keycloak-user
mailing list