Fix for Issue# 32622 (https://github.com/keycloak/keycloak/issues/32622)
The expected Destination Path needs to properly point to the client that is created for IDP-initiated SSO flow. This is especially an issue when Keycloak is behind a reverse proxy that terminates TLS. Signed-off-by: Manish Mehta <ManishMehta@users.noreply.github.com>
This commit is contained in:
parent
1d23c3c720
commit
d57050656e
2 changed files with 9 additions and 1 deletions
|
@ -814,7 +814,7 @@ public class SAMLEndpoint {
|
|||
|
||||
private String getExpectedDestination(String providerAlias, String clientId) {
|
||||
if(clientId != null) {
|
||||
return session.getContext().getUri().getAbsolutePath().toString();
|
||||
return Urls.identityProviderAuthnResponse(session.getContext().getUri().getBaseUri(), providerAlias, realm.getName(), clientId).toString();
|
||||
}
|
||||
return Urls.identityProviderAuthnResponse(session.getContext().getUri().getBaseUri(), providerAlias, realm.getName()).toString();
|
||||
}
|
||||
|
|
|
@ -18,6 +18,7 @@ package org.keycloak.services;
|
|||
|
||||
import org.keycloak.common.Version;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.broker.saml.SAMLEndpoint;
|
||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
||||
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
|
||||
|
@ -53,6 +54,13 @@ public class Urls {
|
|||
.build(realmName, providerAlias);
|
||||
}
|
||||
|
||||
public static URI identityProviderAuthnResponse(URI baseUri, String providerAlias, String realmName, String client_id) {
|
||||
return realmBase(baseUri).path(RealmsResource.class, "getBrokerService")
|
||||
.path(IdentityBrokerService.class, "getEndpoint")
|
||||
.path(SAMLEndpoint.class, "redirectBindingIdpInitiated")
|
||||
.build(realmName, providerAlias, client_id);
|
||||
}
|
||||
|
||||
public static URI identityProviderAuthnRequest(URI baseUri, String providerAlias, String realmName, String accessCode, String clientId, String tabId, String clientData, String loginHint) {
|
||||
UriBuilder uriBuilder = realmBase(baseUri).path(RealmsResource.class, "getBrokerService")
|
||||
.path(IdentityBrokerService.class, "performLogin");
|
||||
|
|
Loading…
Reference in a new issue