Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13005

SAML client config: cannot remove fine grain configuration

    Details

    • Sprint:
      Keycloak Sprint 36, Keycloak Sprint 37, Keycloak Sprint 38
    • Steps to Reproduce:
      Hide

      1. Prepare sample SAML application and deploy it (e.g. app-profile-saml-jee-jsp from quickstarts),
      2. On Keycloak server, create a client as per quickstarts readme,
      3. When configuring the client, set:

      Valid Redirect URIs: http://localhost:8080/app-profile-saml/*
      Base URL: http://localhost:8080/app-profile-saml/
      Master SAML Processing URL: http://localhost:8080/app-profile-saml/saml

      Test the authentication, after logging in, Keycloak redirects to http://localhost:8080/app-profile-saml/saml -> OK.

      4. Edit the client, set:

      Assertion Consumer Service POST Binding URL: http://localhost:8080/app-profile-saml/saml (same as URL as above, you can set different one)

      Test authentication - after logging in, Keycloak redirects to the URL set in this step.

      5. Edit the client, delete the value in "Assertion Consumer Service POST Binding URL".

      Test auth, after logging in, Keycloak doesn't redirect back to the app.

      Show
      1. Prepare sample SAML application and deploy it (e.g. app-profile-saml-jee-jsp from quickstarts), 2. On Keycloak server, create a client as per quickstarts readme, 3. When configuring the client, set: Valid Redirect URIs: http://localhost:8080/app-profile-saml/* Base URL: http://localhost:8080/app-profile-saml/ Master SAML Processing URL: http://localhost:8080/app-profile-saml/saml Test the authentication, after logging in, Keycloak redirects to http://localhost:8080/app-profile-saml/saml -> OK. 4. Edit the client, set: Assertion Consumer Service POST Binding URL: http://localhost:8080/app-profile-saml/saml (same as URL as above, you can set different one) Test authentication - after logging in, Keycloak redirects to the URL set in this step. 5. Edit the client, delete the value in "Assertion Consumer Service POST Binding URL". Test auth, after logging in, Keycloak doesn't redirect back to the app.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Once the "Assertion Consumer Service POST Binding URL" field in Client Configuration form (under " Fine Grain SAML Endpoint Configuration" section) is set, it cannot be "unset".

      Explanation: the client form contains two fields for POST SAML binding:

      [1] "Master SAML Processing URL", which is the universal URL that should be used for all SAML bindings,
      [2] "Assertion Consumer Service POST Binding URL" under "Fine Grain" configuration, which, if set, overrides the value in [1].

      • If I only set [1], the redirection form in the SSO authentication workflow redirects to URL in [1] - correct.
      • If I set [1] and [2], the redirection form redirects to the URL set in [2] - also correct.
      • But, now when I delete the value in [2] and save it, the redirection form in authentication workflow has action attribute set to empty string "", and so it doesn't redirect me back to the service provider.

      My expectation is that when I delete the value in field [2], Keycloak will start redirecting to URL specified in field [1], as if I never set field [2] at all.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                thofman Tomas Hofman
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: