[keycloak-user] Keycloak is throwing invalid_authn_request error for SAML Client

Peter K. Boucher pkboucher801 at gmail.com
Sat Apr 29 15:15:27 EDT 2017


See https://issues.jboss.org/browse/KEYCLOAK-4813 and I would also like to
solicit any thoughts on a workaround.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of abhishek raghav
Sent: Tuesday, April 25, 2017 9:30 AM
To: Jyoti Kumar Singh <assassin.creed60 at gmail.com>; keycloak-user
<keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak is throwing invalid_authn_request
error for SAML Client

Hi,

We are also facing similar issue in our infrastructure setup with SAP HANA
as a Service provider.
Did you get any work around on this..?

Cheers
-Abhishek







On Tue, Apr 25, 2017 at 8:59 AM, Jyoti Kumar Singh <
assassin.creed60 at gmail.com> wrote:

> Hi Team,
>
> Is there any suggestion for me to look upon regarding the keycloak
> invalid_authn_request error for SAML client ?
>
> On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
> assassin.creed60 at gmail.com> wrote:
>
> > Hi Team,
> >
> > We have integrated SAP HANA system as a Service Provider with the
> Keycloak
> > 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> > needs to be imported at Service Provider end.
> >
> > But while saving the "SAML Metadata IDPSSODescriptor" at Service
Provider
> > end, SingleSignOnService Location is getting saved with addition of 443
> > port number in the Destination URL. For example, If Keycloak is
providing
> > IDP SingleSignOnService Location as "https://test.example.com/
> > auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> > https://test.example.com:443/auth/realms/zzz/protocol/saml".
> >
> > Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> > sending Destination URL as "https://test.example.com:443/
> > auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> > destination URL contains ":443" extra, Keycloak is refusing to accept it
> > and throws "error=invalid_authn_request, reason=invalid_destination"
> error.
> >
> > Looks like Keycloak is very strict about destination URL matching which
> is
> > sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> > which will accept the Destination URL with port number in AuthnRequest
or
> > is there any work around to handle this?
> >
> > Please let me know for any other information regarding this.
> >
> > --
> >
> >
> > *With Regards, Jyoti Kumar Singh*
> >
>
>
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list