Help with SAMLRequest or SALMResponse must be present as query string parameters in http request

270 views

Skip to first unread message

Kenn Baker

unread,

Apr 3, 2020, 7:25:49 AM4/3/20

to Keycloak User

Some of our users are reporting that they are receiving the error "AADSTS750054: SAMLRequest or SALMResponse must be present as query string parameters in http request for SAML Redirect binding." when they attempt to log in to our app using an Azure AD Identity Provider.

This seems to occur all of the time on an iPhone within a native shell built on chromium (but also from a Samsung phone).

This is occurring for 2 customers who have a similar setup.

I've attached a screenshot from an iPhone.

I cannot replicate the issue on chrome, firefox or safari on mac or on our android app.

I'm running Keycloak 6.0.1

Following are details of our setup.

I have set up a saml identity provider for a customer who uses Azure AD.

My Identity Provider details include (with <snipped> values):

Redirect URI: https://<my.login.domain>/auth/realms/<the-client>/broker/saml/endpoint
Display Name: Login using your Microsoft credentials
Single Sign-On Service URL: https://login.microsoftonline.com/<client-number>/saml2

The login page (https://<my.login.domain>/auth/realms/<the-client>/protocol/openid-connect/auth?client_id=<the-client>...) includes a "Login using your Microsoft credentials" button.

Clicking on the button starts the microsoft login workflow.

I have set up some mappings and all works well. Users can login and user records are being created in keycloak with correct mappings.

As I said, I can't yet replicate the issue.

My understanding of keycloak is relatively basic, so I'm googling to see if I can find some help.

I encountered this page https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-problem-federated-sso-gallery#saml-request-not-present-in-the-request which speaks directly to this issue.

"The application needs to send the SAML request encoded into the location header using HTTP redirect binding."

The page pointed to https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf which seems to suggest that maybe some user agents might need this information in the Location header (if that's the case it might explain why it's working most of the time?)

Is keycloak omitting to send information in the location header?

Is there some further configuration that I have omitted - which means that keycloak isn't sending some information?

I'm using a slightly older keycloak server. Is this a know issue?

Any help would be greatly appreciated.

Image from iOS.png

Reply all

Reply to author

Forward

0 new messages