Keycloak SAML authentication redirection

Hello,
I’m using keycloak to authenticate users through a web browser using SAML. The authentication works fine but redirection doesn’t. The SAML request XML has the AssertionConsumerServiceURL attribute which keycloak is using to redirect. But instead of using the AssertionConsumerServiceURL attribute host name it uses the keycloak host name. For example:

Keycloak host name: authserver dot hostname dot com
Client host name: client dot hostname dot com
AssertionConsumerServiceURL: https://client.hostname.com/users/sessions/saml_sessions?provider_id=8

But after authenticating, the redirect url is https://authserver.hostname.com/users/sessions/saml_sessions?provider_id=8 it should be redirecting to the client host name not the auth server host name.

I would appreciate any help!
Thanks,
Patrick

How decoded SAML request looks like and how full SAML client configuration looks like in your case?

Authn request xml

Keycloak client configuration
Fontend Url: https://auth.hostname.com/auth
Browser Flow: Browser

From your input it still not clear what binding are you using (it is not part of the SAML request and also SAML login binding URLs is not visible in the config. Usually, it it http post binding, but you are talkin about redirection, so nothing is clear.

First, thank you for taking the time to help me out, I really appreciate it as I’m very new to keycloak. I hope this is the binding information your are looking for…

I can provide you with any information your need to help figure this one out.
Thanks!

So what kind of binding you need?
Usually, app provides SP metadata file (not IDP metadata), which Keycloak can use to create SAML client configured properly for that app. That usefull if you really don’t have idea what all those fields mean. Can you use that?

Thanks, Jan. I wasn’t provided with a metadata file nor is there one available. Not sure what you mean by bindings. At this point in the process, I just need Keycloak to simply use the AssertionConsumerServiceUrl to redirect back once authenticated. I’m not sure what I’m missing to make this work.

“redirect back once authenticated” is vague definition. SAML can POST assertion (yeah that’s also “redirect”) or it can use Redirect Binding (not very usuall aproach). So you just try and test and if it doesn’t work try another config. Start with properly configured Assertion Consumer Service POST Binding URL. Work with browser network console, SAML tracer and debug it.

Again, thank you for helping me. I will try your suggestion.

I was able to find a solution. By simply turning the “Force POST Binding” to “ON”, it is now using the AssertionConsumerServiceUrl url in the XML to return the logged-in user back to the client. I can’t explain why this made it work. Maybe @jangaraj can shed some light?

Thanks,
Patrick