atulbnar
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java‎
Lines changed: 7 additions & 5 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java‎
Lines changed: 11 additions & 10 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java‎
Lines changed: 11 additions & 10 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java‎
Lines changed: 17 additions & 1 deletion b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java‎
Lines changed: 9 additions & 0 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java‎
Lines changed: 1 addition & 0 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java‎
Lines changed: 7 additions & 0 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java‎
Lines changed: 1 addition & 0 deletions b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/ecp/EcpAuthenticationHandler.java‎
Lines changed: 9 additions & 1 deletion b/‎adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/ecp/EcpAuthenticationHandler.java‎
Lines changed: 9 additions & 1 deletion
@@ -17,6 +17,7 @@
 
 package org.keycloak.adapters.saml;
 
+import org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService;
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.HttpFacade;
@@ -95,21 +96,22 @@ public static SAML2AuthnRequestBuilder buildSaml2AuthnRequestBuilder(SamlDeploym
             nameIDPolicyFormat =  JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
         }
 
+        SingleSignOnService sso = deployment.getIDP().getSingleSignOnService();
         SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
-                .destination(deployment.getIDP().getSingleSignOnService().getRequestBindingUrl())
+                .destination(sso.getRequestBindingUrl())
                 .issuer(issuerURL)
                 .forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive())
                 .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
-        if (deployment.getIDP().getSingleSignOnService().getResponseBinding() != null) {
+        if (sso.getResponseBinding() != null) {
             String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
-            if (deployment.getIDP().getSingleSignOnService().getResponseBinding() == SamlDeployment.Binding.POST) {
+            if (sso.getResponseBinding() == SamlDeployment.Binding.POST) {
                 protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
             }
             authnRequestBuilder.protocolBinding(protocolBinding);
 
         }
-        if (deployment.getAssertionConsumerServiceUrl() != null) {
-            authnRequestBuilder.assertionConsumerUrl(deployment.getAssertionConsumerServiceUrl());
+        if (sso.getAssertionConsumerServiceUrl() != null) {
+            authnRequestBuilder.assertionConsumerUrl(sso.getAssertionConsumerServiceUrl());
         }
         return authnRequestBuilder;
     }
 
@@ -31,6 +31,7 @@
 import org.keycloak.rotation.CompositeKeyLocator;
 import org.keycloak.rotation.HardcodedKeyLocator;
 import org.keycloak.rotation.KeyLocator;
+import java.net.URI;
 
 /**
  * @author <a href="mailto:[email protected]">Bill Burke</a>
@@ -45,6 +46,7 @@ public static class DefaultSingleSignOnService implements IDP.SingleSignOnServic
         private Binding requestBinding;
         private Binding responseBinding;
         private String requestBindingUrl;
+        private URI assertionConsumerServiceUrl;
 
         @Override
         public boolean signRequest() {
@@ -76,6 +78,15 @@ public String getRequestBindingUrl() {
             return requestBindingUrl;
         }
 
+        @Override
+        public URI getAssertionConsumerServiceUrl() {
+            return assertionConsumerServiceUrl;
+        }
+
+        public void setAssertionConsumerServiceUrl(URI assertionConsumerServiceUrl) {
+            this.assertionConsumerServiceUrl = assertionConsumerServiceUrl;
+        }
+
         public void setSignRequest(boolean signRequest) {
             this.signRequest = signRequest;
         }
@@ -277,7 +288,6 @@ public void setClient(HttpClient client) {
     private boolean turnOffChangeSessionIdOnLogin;
     private PrivateKey decryptionKey;
     private KeyPair signingKeyPair;
-    private String assertionConsumerServiceUrl;
     private Set<String> roleAttributeNames;
     private PrincipalNamePolicy principalNamePolicy = PrincipalNamePolicy.FROM_NAME_ID;
     private String principalAttributeName;
@@ -340,11 +350,6 @@ public KeyPair getSigningKeyPair() {
         return signingKeyPair;
     }
 
-    @Override
-    public String getAssertionConsumerServiceUrl() {
-        return assertionConsumerServiceUrl;
-    }
-
     @Override
     public Set<String> getRoleAttributeNames() {
         return roleAttributeNames;
@@ -396,10 +401,6 @@ public void setSigningKeyPair(KeyPair signingKeyPair) {
         this.signingKeyPair = signingKeyPair;
     }
 
-    public void setAssertionConsumerServiceUrl(String assertionConsumerServiceUrl) {
-        this.assertionConsumerServiceUrl = assertionConsumerServiceUrl;
-    }
-
     public void setRoleAttributeNames(Set<String> roleAttributeNames) {
         this.roleAttributeNames = roleAttributeNames;
     }
 
@@ -25,6 +25,7 @@
 import java.util.Set;
 import org.apache.http.client.HttpClient;
 import org.keycloak.rotation.KeyLocator;
+import java.net.URI;
 
 /**
  * Represents SAML deployment configuration.
@@ -103,8 +104,24 @@ public interface SingleSignOnService {
              */
             boolean validateAssertionSignature();
             Binding getRequestBinding();
+            /**
+             * SAML allows the client to request what binding type it wants authn responses to use. The default is
+             * that the client will not request a specific binding type for responses.
+             * @return
+             */
             Binding getResponseBinding();
+            /**
+             * Returns URL for the IDP login service that the client will send requests to.
+             * @return
+             */
             String getRequestBindingUrl();
+            /**
+             * Returns URI where the IdP should send the responses to. The default is
+             * that the client will not request a specific assertion consumer service URL.
+             * This property is typically accompanied by the ProtocolBinding attribute.
+             * @return
+             */
+            URI getAssertionConsumerServiceUrl();
         }
 
         public interface SingleLogoutService {
@@ -141,7 +158,6 @@ public interface SingleLogoutService {
     KeyPair getSigningKeyPair();
     String getSignatureCanonicalizationMethod();
     SignatureAlgorithm getSignatureAlgorithm();
-    String getAssertionConsumerServiceUrl();
     String getLogoutPage();
 
     Set<String> getRoleAttributeNames();
 
@@ -32,6 +32,7 @@ public static class SingleSignOnService implements Serializable {
         private String requestBinding;
         private String responseBinding;
         private String bindingUrl;
+        private String assertionConsumerServiceUrl;
         private boolean validateAssertionSignature;
 
         public boolean isSignRequest() {
@@ -81,6 +82,14 @@ public String getBindingUrl() {
         public void setBindingUrl(String bindingUrl) {
             this.bindingUrl = bindingUrl;
         }
+
+        public String getAssertionConsumerServiceUrl() {
+            return assertionConsumerServiceUrl;
+        }
+
+        public void setAssertionConsumerServiceUrl(String assertionConsumerServiceUrl) {
+            this.assertionConsumerServiceUrl = assertionConsumerServiceUrl;
+        }
     }
 
     public static class SingleLogoutService implements Serializable {
 
@@ -72,6 +72,7 @@ public class ConfigXmlConstants {
     public static final String VALIDATE_REQUEST_SIGNATURE_ATTR = "validateRequestSignature";
     public static final String POST_BINDING_URL_ATTR = "postBindingUrl";
     public static final String REDIRECT_BINDING_URL_ATTR = "redirectBindingUrl";
+    public static final String ASSERTION_CONSUMER_SERVICE_URL_ATTR = "assertionConsumerServiceUrl";
 
     public static final String HTTP_CLIENT_ELEMENT = "HttpClient";
     public static final String ALLOW_ANY_HOSTNAME_ATTR = "allowAnyHostname";
 
@@ -41,6 +41,7 @@
 import java.util.HashSet;
 import java.util.Set;
 import org.keycloak.adapters.cloned.HttpClientBuilder;
+import java.net.URI;
 
 /**
  * @author <a href="mailto:[email protected]">Bill Burke</a>
@@ -156,6 +157,12 @@ public SamlDeployment build(InputStream xml, ResourceLoader resourceLoader) thro
         if (sp.getIdp().getSingleSignOnService().getResponseBinding() != null) {
             sso.setResponseBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleSignOnService().getResponseBinding()));
         }
+        if (sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl() != null) {
+            if (! sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) {
+                throw new RuntimeException("AssertionConsumerServiceUrl must end with \"/saml\".");
+            }
+            sso.setAssertionConsumerServiceUrl(URI.create(sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl()));
+        }
         sso.setSignRequest(sp.getIdp().getSingleSignOnService().isSignRequest());
         sso.setValidateResponseSignature(sp.getIdp().getSingleSignOnService().isValidateResponseSignature());
         sso.setValidateAssertionSignature(sp.getIdp().getSingleSignOnService().isValidateAssertionSignature());
 
@@ -118,6 +118,7 @@ protected IDP.SingleSignOnService parseSingleSignOnService(XMLEventReader xmlEve
         sso.setRequestBinding(getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
         sso.setResponseBinding(getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
         sso.setBindingUrl(getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
+        sso.setAssertionConsumerServiceUrl(getAttributeValue(element, ConfigXmlConstants.ASSERTION_CONSUMER_SERVICE_URL_ATTR));
         return sso;
     }
 
 
@@ -156,7 +156,15 @@ private void createPaosRequestHeader(SOAPEnvelope envelope) throws SOAPException
                 paosRequestHeader.setMustUnderstand(true);
                 paosRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
                 paosRequestHeader.addAttribute(envelope.createName("service"), JBossSAMLURIConstants.ECP_PROFILE.get());
-                paosRequestHeader.addAttribute(envelope.createName("responseConsumerURL"), deployment.getAssertionConsumerServiceUrl());
+                paosRequestHeader.addAttribute(envelope.createName("responseConsumerURL"), getResponseConsumerUrl());
+            }
+
+            private String getResponseConsumerUrl() {
+                return (deployment.getIDP() == null
+                  || deployment.getIDP().getSingleSignOnService() == null
+                  || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null
+                ) ? null
+                  : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString();
             }
         };
     }
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ protected IDP.SingleSignOnService parseSingleSignOnService(XMLEventReader xmlEve`
`118`	`118`	`sso.setRequestBinding(getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));`
`119`	`119`	`sso.setResponseBinding(getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));`
`120`	`120`	`sso.setBindingUrl(getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));`
	`121`	`+ sso.setAssertionConsumerServiceUrl(getAttributeValue(element, ConfigXmlConstants.ASSERTION_CONSUMER_SERVICE_URL_ATTR));`
`121`	`122`	`return sso;`
`122`	`123`	`}`
`123`	`124`