Allow setting alternative destination in SAML configuration #22350
Replies: 2 comments
-
Hi @richardalberto ! We're running into the same issue when trying to implement SAML brokering for our OIDC client. We can easily get SP-initiated to work with using Keycloak's default endpoint (the one you posted in your message), but getting idp-initiated to work is proving to be not as straight forward :/ An idp-initiated assertion towards that endpoint throws an error due to RelayState being null. We've tried creating a separate SAML client and using the The issue we run into is that the SP-initiated and IdP-initiated flows now have two different ACS URLs. SP uses There doesn't seem to be a way in Keycloak to specify the destination we expect. Did you manage to solve your problem somehow? |
Beta Was this translation helpful? Give feedback.
-
Frankly, if we could avoid the whole SAML Client thing and just have a way of specifying a "default client" or a URL to redirect to, after Keycloak has verified the assertion and created a session for the user, on our external IdP configuration then that would simplify a lot for us. We could then simply specify our OIDC apps login path as a redirect URL. |
Beta Was this translation helpful? Give feedback.
-
The problem
Our customers have created their SAML connections with a legacy metadata fields before we started adopting Keycloak; the destination field is set on the IdP side to our legacy URL which today serves as our SAML processing endpoint.
Keycloak has, and expects, per-identity-provider connection brokering endpoints in the format of
https://keycloack.instance/realms/<realm>/broker/<endpoint-entity-id>/endpoint
. Therefore, if we were to simply proxy the legacy endpoint to Keycloak, Keycloak will reject the request, as it verifies that the destination field matches the URL path it is expecting.Since the destination field is configured within the customers external IdP it cannot be updated programmatically and would require customer intervention.
Possible solutions we've discussed
This feels like a common use case for companies adopting keycloak and might benefit others going thru a similar situation. I'm curious if this is something that would benefit the product and more specifically I have a few questions:
Beta Was this translation helpful? Give feedback.
All reactions