diff --git a/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java b/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java index 3c451b3857..9395662444 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java +++ b/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java @@ -46,6 +46,7 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr public static String getIDPDescriptorForClient(KeycloakSession session, RealmModel realm, ClientModel client, URI serverBaseUri) { SamlClient samlClient = new SamlClient(client); String idpEntityId = RealmsResource.realmBaseUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName()).toString(); + String bindUrl = RealmsResource.protocolUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString(); StringBuilder sb = new StringBuilder(); sb.append("\n" + "\n"); + + // logout service + sb.append(" \n"); + if (! samlClient.forcePostBinding()) { + sb.append(" \n"); + } + // nameid format if (samlClient.forceNameIDFormat() && samlClient.getNameIDFormat() != null) { sb.append(" ").append(samlClient.getNameIDFormat()).append("\n"); } else { @@ -64,7 +76,7 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr + " urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\n" + " urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\n"); } - String bindUrl = RealmsResource.protocolUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString(); + // sign on service sb.append("\n" + " \n"); @@ -73,15 +85,8 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr + " Location=\"").append(bindUrl).append("\" />\n"); } - sb.append(" \n"); - if (! samlClient.forcePostBinding()) { - sb.append(" \n"); - } + // keys Set keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list ? (int) (o2.getProviderPriority() - o1.getProviderPriority()) : (o1.getStatus() == KeyMetadata.Status.PASSIVE ? 1 : -1));