SAML-artifact binding
311 views
Skip to first unread message
Abuesyz
Oct 5, 2022, 4:47:23 AM10/5/22
to Keycloak User
Hi All,
I am setting up Keycloak (18.0) as an identity broker (SAML 2.0). I received
the metadata.xml from the external IDP and was able to import it succesully in
keycloak under the section ‘Identiy Provider’.
The picture below describes what i want to achieve:
Steps 1 to 6 are successful. But if you look at step 7: this is where i am first receiving an SAML-artifact from the external IDP. It is sent to the ‘Redirect Uri’ that i have configured in the Identity-Provider section of Keycloak.
And i need to redirect this SAML artifact to the IDP-artifact-resolution serviceurl. And after that i will receive an ‘Authentication Response’.
And it seems that Keycloak doesnt know what to do with this SAML-artifact. I keep getting a bad request from keycloak (Code 400)
Or should i also configure a 'Client' in Keycloak that somehow connects to the 'Identity provider' section in Keycloak?
I hope someone can help me.
Thanks in advance
Abuesyz
Message has been deleted
Abuesyz
Oct 5, 2022, 6:58:57 PM10/5/22
to Keycloak User
in the keycloak DEBUG logging i see the following:
2022-10-05
21:57:04,316 WARN [org.keycloak.events] (executor-thread-244)
type=LOGIN_ERROR, realmId=adv-realm, clientId=null,
userId=null, ipAddress=x.x.x.x, error=invalid_request
Abuesyz
Oct 8, 2022, 10:56:41 AM10/8/22
to Keycloak User
I am now wondering that perhaps Keycloak does not yet support the thing i want. I have found below mentioned links:
https://github.com/keycloak/keycloak/issues/14073
https://issues.redhat.com/browse/KEYCLOAK-9993
And it seems its still an open-issue that has yet to be implemented in keycloak.
Can someone pls confirm this?
https://github.com/keycloak/keycloak/issues/14073
https://issues.redhat.com/browse/KEYCLOAK-9993
And it seems its still an open-issue that has yet to be implemented in keycloak.
Can someone pls confirm this?
Michal Hajas
Oct 13, 2022, 8:28:48 AM10/13/22
to Abuesyz, Keycloak User
I can confirm that.
Keycloak currently supports Artifact binding only in server to client communication. The work that is done was tracked under this Jira: https://issues.redhat.com/browse/KEYCLOAK-9992. Notice also adapters don't support it.
Michal
Abuesyz
Oct 13, 2022, 8:51:23 AM10/13/22
to Keycloak User
Thanks for the confirmation :)
Any chance if you know when it will be implemented (if at all?) I dont know if its on the 'roadmap'
Michal Hajas
Oct 14, 2022, 11:04:04 AM10/14/22
to Abuesyz, Keycloak User
I am not aware of this being on the roadmap at the moment. However, I saw some people asking about it recently, so maybe sometimes in the future it will show up there, but I would not rely on it. Anyway, a contribution would be greatly appreciated.
Michal
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e0592404-0238-4c44-ac6f-ecb3c28c2d13n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages