[keycloak-user] IDPSSODescriptor only has SingleSignOnService for POST binding

John Dennis jdennis at redhat.com
Mon Mar 25 10:24:38 EDT 2019


On 3/25/19 9:45 AM, Audun Røe wrote:
> Hello,
> 
> when obtaining KeyCloak SAML IDP metadata through the admin dashboard
> (Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
> the dropdown) the metadata only contains a SingleSignOnService for
> HTTP-POST binding:
> 
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml" />
> 
> 
> When instead getting metadata this through the following URL, it also has
> HTTP-Redirect and SOAP endpoints:
> https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor
> 
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
> "/>
> 
> Is there a reason for the discrepancy, or is it a bug? It's not really a
> problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
> the former metadata variant failed, while the latter works fine.

Known issue and recently fixed, see
https://issues.jboss.org/browse/KEYCLOAK-8537

There was a very similar issue with SP logout metadata handling 
described in this JIRA that was fixed just a day or two ago.

https://issues.jboss.org/browse/KEYCLOAK-8535


-- 
John Dennis


More information about the keycloak-user mailing list