From 26771b49037d84c6f0bc1ff2ef66c276913906ef Mon Sep 17 00:00:00 2001 From: rmartinc Date: Mon, 1 Apr 2019 14:53:52 +0200 Subject: [PATCH] KEYCLOAK-9966: Explain better how URL/Binding is selected for IDP iniated login --- .../topics/clients/saml/idp-initiated-login.adoc | 9 +++++++++ server_admin/topics/sso-protocols/saml.adoc | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/server_admin/topics/clients/saml/idp-initiated-login.adoc b/server_admin/topics/clients/saml/idp-initiated-login.adoc index b0d27eb40c..ccaca52d28 100644 --- a/server_admin/topics/clients/saml/idp-initiated-login.adoc +++ b/server_admin/topics/clients/saml/idp-initiated-login.adoc @@ -6,6 +6,15 @@ In the `Settings` tab for your client, you need to specify the `IDP Initiated SS This is a simple string with no whitespace in it. After this you can reference your client at the following URL: `root/auth/realms/{realm}/protocol/saml/clients/{url-name}` +The IDP initiated login implementation prefers _POST_ over _REDIRECT_ binding (check <> for more information). +Therefore the final binding and SP URL are selected in the following way: + +1. If the specific `Assertion Consumer Service POST Binding URL` is defined (inside `Fine Grain SAML Endpoint Configuration` section +of the client settings) _POST_ binding is used through that URL. +2. If the general `Master SAML Processing URL` is specified then _POST_ binding is used again throught this general URL. +3. As the last resort, if the `Assertion Consumer Service Redirect Binding URL` is configured (inside +`Fine Grain SAML Endpoint Configuration`) _REDIRECT_ binding is used with this URL. + If your client requires a special relay state, you can also configure this on the `Settings` tab in the `IDP Initiated SSO Relay State` field. Alternatively, browsers can specify the relay state in a `RelayState` query parameter, i.e. `root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate`. diff --git a/server_admin/topics/sso-protocols/saml.adoc b/server_admin/topics/sso-protocols/saml.adoc index 81118bed44..2f85115f61 100644 --- a/server_admin/topics/sso-protocols/saml.adoc +++ b/server_admin/topics/sso-protocols/saml.adoc @@ -51,6 +51,11 @@ the {project_name} server or application when exchanging documents. Basically H that contains an HTML form with embedded JavaScript. When the page is loaded, the JavaScript automatically invokes the form. You really don't need to know about this stuff, but it is a pretty clever trick. +_POST_ binding is usually recommended because of security and size restrictions. When using _REDIRECT_ the SAML response +is part of the URL (it is a query parameter as it was explained before), so it can be captured in logs and it is considered +less secure. Regarding size, if the assertion contains a lot or large attributes sending the document inside the HTTP payload +is always better than in the more limited URL. + ===== ECP ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser.