Port removed from SAML redirect URI
232 views
Skip to first unread message
Hannah Short
May 16, 2023, 4:07:57 AM5/16/23
to Keycloak User
Hi,
We just upgraded to KC 20 and seem to see a regression of a bug that may have been fixed in v 13 (see e.g. https://stackoverflow.com/questions/63437976/keycloak-is-stripping-the-port-from-my-redirect-uri-in-the-location-header-why)
We just upgraded to KC 20 and seem to see a regression of a bug that may have been fixed in v 13 (see e.g. https://stackoverflow.com/questions/63437976/keycloak-is-stripping-the-port-from-my-redirect-uri-in-the-location-header-why)
One SAML app sets its AssertionConsumerServiceURL="https://testeam.cern.ch:443/sso/fedletapplication", https://testeam.cern.ch:443/sso/fedletapplication is set as the redirectURI.
When the SAML request hits Keycloak we get the "Invalid redirectURI" error
If I set "Valid Redirect URIs" to "*" Keycloak sends a SAML response but with destination Destination="https://testeam.cern.ch/sso/fedletapplication" (note the missing port).
Of course that doesn't match the expected AssertionConsumerServiceURL/Destination so the client is unable to accept the SAML response.
Any help is really appreciated. So far we only have 1 affected application but we host almost 10,000 so probably have more.
Thanks,
When the SAML request hits Keycloak we get the "Invalid redirectURI" error
If I set "Valid Redirect URIs" to "*" Keycloak sends a SAML response but with destination Destination="https://testeam.cern.ch/sso/fedletapplication" (note the missing port).
Of course that doesn't match the expected AssertionConsumerServiceURL/Destination so the client is unable to accept the SAML response.
Any help is really appreciated. So far we only have 1 affected application but we host almost 10,000 so probably have more.
Thanks,
Hannah (CERN)
Hannah Short
May 17, 2023, 7:40:21 AM5/17/23
to Keycloak User
As a quick update, we managed to reproduce and test against Keycloak 21 and it seems to be fixed there.
Reply all
Reply to author
Forward
0 new messages