[keycloak-user] IDPSSODescriptor only has SingleSignOnService for POST binding

Audun Røe audunroe at gmail.com
Mon Mar 25 09:45:31 EDT 2019


Hello,

when obtaining KeyCloak SAML IDP metadata through the admin dashboard
(Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
the dropdown) the metadata only contains a SingleSignOnService for
HTTP-POST binding:

<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml" />


When instead getting metadata this through the following URL, it also has
HTTP-Redirect and SOAP endpoints:
https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor

<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
"/>

Is there a reason for the discrepancy, or is it a bug? It's not really a
problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
the former metadata variant failed, while the latter works fine.


Regards,
Audun


More information about the keycloak-user mailing list