[keycloak-user] Google as SAML SP and Keycloak as IDP - invalid_signature [Solved]
Georgijs Radovs
georgijsr at scandiweb.com
Thu Dec 15 11:43:51 EST 2016
Hello again!
Problem solved.
Keycloak <-> Google SAML working.
The problem was with Sign-in URL on Google App's configuration side.
Sign-in page URL was - *https://"keycloak fqdn"/auth/realms/"keycloak
realm name"/protocol/saml*
But, after I changed it to this:
Sign-in page URL - *https://"keycloak fqdn"/auth/realms/"keycloak realm
name"/protocol/saml/clients/googleapps*
and made these changes:
Set *Client Signature Required* to *Off*
Set *Assertion Consumer Service POST Binding URL* to
*https://google.com/a/"mydomain".com/acs*
Set *Assertion Consumer Service Redirect Binding URL* to *empty*
Set *Assertion Consumer Service POST Binding URL* to
*https://www.google.com/a/"mydomain".com/acs*
It worked.
Also, if you need to for *IDP initiated SSO URL* to work, add
*?RelayState=true* to the *Base URL*, like this:
*/auth/realms/"keycloak
realm"/protocol/saml/clients/googleapps?RelayState=true
On 2016.12.15. 14:44, Georgijs Radovs wrote:
> Hello everyone!
>
>
> I'm trying to configure SSO to Google Apps, using SAML protocol and
> Keycloak as IDP and Google as SP.
>
> Keycloak Version - 2.1.0-Final
>
> In Keycloak, I've created a new saml client with following settings:
>
> ----------------------------------------------------------------
>
> Client ID - google.com/a/*mydomain*.com
>
> Enabled - On
>
> Consent Required - Off
>
> Include AuthnStatement - On
>
> Sign Documents - On
>
> Sign Assertions - On
>
> Signature Algorithm - RSA_SHA256
>
> Canonicalization Method - EXCLUSIVE
>
> Encrypt Assertions - Off
>
> Client Signature Required - On
>
> Force POST Binding - On
>
> Front Channel Logout - On
>
> Force Name ID Format - Off
>
> Name ID Format - email
>
> Root URL - empty
>
> Valid Redirect URIs - empty
>
> Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps
>
> Master SAML Processing URL - empty
>
> IDP Initiated SSO URL Name - googleapps
>
> IDP Initiated SSO Relay State - empty
>
> Assertion Consumer Service POST Binding URL - empty
>
> Assertion Consumer Service Redirect Binding URL -
> https://google.com/a/*mydomain*.com/acs
>
> logout-service-post-binding-url - empty
>
> Logout Service Redirect Binding URL - empty
> --------------------------------------------------------------
>
> Google SSO Settings:
>
> --------------------------------------------------------------
> "Setup SSO with third party identity provider" checkbox - enabled
>
> Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm
> name*/protocol/saml
>
> Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak
> realm name*/protocol/saml
>
> Change password URL - empty
>
> Verification certificate - uploaded certificate from keycloak realm,
> where Google SAML client is defined.
>
> "Use a domain specific issuer" checkbox - enabled
> ---------------------------------------------------------------
>
> The problem:
>
> When I go to this link - https://mail.google.com/a/*mydomain*.com, to
> authenticate, I'm redirected back to Keycloak with "Invalid Requester"
> error and in Keycloak log I see this: "error=invalid_signature"
>
> What signature is Keycloak complaining about?
> What is wrong with my config?
>
>
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
More information about the keycloak-user
mailing list