My usecase is the following: user (that is not logged in already) clicks a direct link inside my application and we want that SSO login (SAML) is done automatically and at the end the user is redirected to the origin URL that he clicked.
The auto-login works with setting the URL pattern in security-constraint of web.xml.
The client is configured with a force-post binding and a fine-grained post binding URL.
But on navigation to “/auth/realms/eptos/login-actions/authenticate?” the referrer-policy is changed by intent to “no-referrer”, no longer have a referrer or origin. If I had one, I can simply redirect manually to it in using my custom “Assertion Consumer Service POST Binding URL”. This means post-login I can only go to some fixed page now.
If I remove the post binding URL altogether it fails with error about invalid redirect URI and wasn’t able to make it work without this or at least a master processing url.
I also found no way to override the hardcoded ‘no-referrer’ policy (came with KEYCLOAK-14232). No referrer, request_uri param in the URL, nothing to do a redirect back to the requesting URL, no helpful config in the client’s page.
Am I missing something? Thank you