[keycloak-user] Keycloak is throwing invalid_authn_request error for SAML Client
Jyoti Kumar Singh
assassin.creed60 at gmail.com
Mon Apr 24 23:29:10 EDT 2017
Hi Team,
Is there any suggestion for me to look upon regarding the keycloak
invalid_authn_request error for SAML client ?
On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
assassin.creed60 at gmail.com> wrote:
> Hi Team,
>
> We have integrated SAP HANA system as a Service Provider with the Keycloak
> 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> needs to be imported at Service Provider end.
>
> But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
> end, SingleSignOnService Location is getting saved with addition of 443
> port number in the Destination URL. For example, If Keycloak is providing
> IDP SingleSignOnService Location as "https://test.example.com/
> auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> https://test.example.com:443/auth/realms/zzz/protocol/saml".
>
> Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> sending Destination URL as "https://test.example.com:443/
> auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> destination URL contains ":443" extra, Keycloak is refusing to accept it
> and throws "error=invalid_authn_request, reason=invalid_destination" error.
>
> Looks like Keycloak is very strict about destination URL matching which is
> sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> which will accept the Destination URL with port number in AuthnRequest or
> is there any work around to handle this?
>
> Please let me know for any other information regarding this.
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
>
--
*With Regards, Jyoti Kumar Singh*
More information about the keycloak-user
mailing list