[keycloak-user] Force POST setting in SAML??

Dmitry Telegin dt at acutus.pro
Fri Aug 3 13:17:28 EDT 2018


Hi Max,

Could you please attach that SP metadata file for both configurations? (scrubbing sensitive data, if any)

Also if you are on a purely testing (non-critical) environment, could you please capture the whole conversation into a HAR file and share it? (F12 > Network > right click, "Save as HAR with contents" or like that; don't forget to turn on Preserve logs)
This might be super helpful to understand what's going on. Also make sure it doesn't expose anything sensitive.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-08-02 at 14:42 +0100, Max Allan wrote:
>  Hi,
> I have a SAML SP that needs both POST and Redirect methods in the
> sp_metadata file. (if redirect is missing then it fails to even startup the
> app)
> 
> A bit of fiddling and I noticed the "Force POST Binding" in the client
> config. If I turn if OFF then both POST and Redirect lines appear in the
> installation file. Nice.
> 
> However, when the user tries to login, something (Keycloak I'm pretty sure)
> gets things wildly wrong and the browser ends up at the SP's redirect URI
> with the "SAMLRequest=...." in the URL.
> 
> The SP doesn't know how to process that (that's for Keycloak). So it fails
> to login.
> 
> If I leave "Force POST" ON, then the sp_metadata needs a manual edit to
> include the Redirect method. But at least the user can login.
> 
> Can anyone explain what's going on? Why do I need to set it off to generate
> the xml for the SP and then back on to actually work??
> 
> Thanks,
> Max
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list