Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19388

AttributeConsumingService Bug in SAML SP metadata

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Done
    • None
    • 15.1.0
    • SAML

    Description

      Motivation:

      Keycloak version 15.0.0 introduced the AttributeConsumingService element in the SAML SP metadata. This is a useful feature since it allows mapping Attribute Importers into RequestedAttribute elements within the AttributeConsumingService. However the current implementation does not comply with the SAML Metadata Specification. Specifically:

      • The AttributeConsumingService element is included in Keycloak’s SAML SP metadata by default, even if no RequestedAttribute elements are specified
      • The ServiceName element is added only if the Attribute Consuming Service Name is set

      According to the SAML Metadata Specification, the AttributeConsumingService is optional (Zero or More) but when included it requires:

      • one or more RequestedAttribute elements
      • one or more ServiceName elements

      As a result, the default Keycloak SP metadata are deemed as invalid by SAML IdP software (e.g. SimpleSAMLphp) that performs metadata schema validation. Effectively, users can not login with these SAML IdPs, unless the Keycloak configuration includes a Service Name and one or more Attribute Importers.

      *Proposal: *

      In order to be compliant with the SAML Metadata Specification, we propose the following:

      1. The AttributeConsumingService is added to the SP metadata only when at least one Attribute Importer Mapper exists
      2. The Attribute Consuming Service Name has default value the realm display name when configured, otherwise equal to the realm name. When the AttributeConsumingService is not required for the SP metadata (see point 1) then the Attribute Consuming Service Name is ignored.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              cgeorgilakis Konstantinos Georgilakis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: