[keycloak-user] Keycloak is throwing invalid_authn_request error for SAML Client

Jyoti Kumar Singh assassin.creed60 at gmail.com
Mon Apr 24 03:20:26 EDT 2017


Hi Team,

We have integrated SAP HANA system as a Service Provider with the Keycloak
2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
needs to be imported at Service Provider end.

But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
end, SingleSignOnService Location is getting saved with addition of 443
port number in the Destination URL. For example, If Keycloak is providing
IDP SingleSignOnService Location as "
https://test.example.com/auth/realms/zzz/protocol/saml", Service Provider
is saving it as "https://test.example.com:443/auth/realms/zzz/protocol/saml
".

Once Service Provider is making a AuthnRequest Call to Keycloak, it is
sending Destination URL as "
https://test.example.com:443/auth/realms/zzz/protocol/saml" as part of
AuthnRequest. As the destination URL contains ":443" extra, Keycloak is
refusing to accept it and throws "error=invalid_authn_request,
reason=invalid_destination" error.

Looks like Keycloak is very strict about destination URL matching which is
sent from SP as part of AuthnRequest. Do we have any option in Keycloak
which will accept the Destination URL with port number in AuthnRequest or
is there any work around to handle this?

Please let me know for any other information regarding this.

-- 


*With Regards, Jyoti Kumar Singh*


More information about the keycloak-user mailing list