Description

The SAML 2.0 Core specification (section 3.4.1) states that AuthnRequests may include an AssertionConsumerServiceIndex attribute as an alternative to AssertionConsumerServiceURL to reference a pre-configured ACS endpoint via index.

When acting as an SP, Keycloak doesn't support ACS Index, but only ACS URL

I don't know if there are IdPs that only implement the index logic, but, for example, the Italian SPID strongly recommends indexes over URLs for Service Providers.

Value Proposition

Adding support for ACS indexes is going to improve Keycloak implementation of the SAML 2.0 protocol.

Goals

• Add support for AssertionConsumerServiceIndex when Keycloak acts as SP
• Make both AssertionConsumerServiceIndex and AssertionConsumerServiceURL optional and mutually exclusive (as the protocol states)
• Update of the documentation for configuring a SAML 2.0 IdP with ACS index

Non-Goals

• Handling ACS indexes in Authn Requests when Keycloak acts as IdP

Discussion

No response

Notes

I've tinkered with the codebase a bit, and this enhancement seems fairly straightforward to implement, so I'd be happy to contribute a pull request myself.

About the "mutually exclusive", I was thinking about the following implementation:

• I made both properties optional (singleSignOnServiceUrl and assertionConsumerServiceIndex)
• Inside the validate method of SAMLIdentityProviderConfig I added a check that makes sure one of the two properties is being used
• If the URL is specified then the index is ignored, if the URL is left empty then the index is used

I'd appreciate your thoughts on this proposed enhancement. Also, if this idea has been discussed before or there's a reason it hasn't been proposed yet, I'd love to learn more.

Thanks!