[keycloak-user] Keycloak with EZproxy
Ricardo Chu
pygator at linux.com
Tue Nov 8 08:38:35 EST 2016
Stian,
We set the "Client Signature Required" to off. See print screen here:
https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk
I restarted keycloak and attempted to login via ezproxy. It looks like we
get a little further down the login process but now get a NPE.
You can see the log excerpt here: https://bitbucket.org/snippets/rachu/ddRze
Rick
On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> First guess is that EZProxy is not signing the login assertion and the
> client is configured in KC admin console to require signatures. Try turning
> "Client Signature Required" off for the client in the Keycloak admin
> console.
>
> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>
>> Here is the trace output of this problem:
>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>
>> This log includes the startup of keycloak and the login attempt. The
>> login fails and the message "invalid requester" is displayed in the
>> browser..
>>
>> The trace shows the "Invalid signature on document" message.
>> Line 5211 says "Cannot find Signature element".
>>
>> Any idea what may cause this?
>>
>> Rick
>>
>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> "XML External Entity switches are not supported. You may get XML
>>> injection
>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>> with
>>> the issue.
>>>
>>> Try enabling trace logging for org.keycloak and see if you get any more
>>> details.
>>>
>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>
>>> > Thanks.
>>> >
>>> >
>>> >
>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>>> > following log entries on the Keycloak server:
>>> >
>>> >
>>> >
>>> > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default
>>> task-1)
>>> > XML External Entity switches are not supported. You may get XML
>>> injection
>>> > vulnerabilities.
>>> >
>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
>>> > (default task-1) request validation failed:
>>> org.keycloak.common.VerificationException:
>>> > Invalid signature on document
>>> >
>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>> >
>>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>> >
>>> > at org.keycloak.protocol.saml.SamlService$
>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>> >
>>> > at org.keycloak.protocol.saml.Sam
>>> lService$BindingProtocol.
>>> > handleSamlRequest(SamlService.java:186)
>>> >
>>> > at org.keycloak.protocol.saml.SamlService$
>>> > PostBindingProtocol.execute(SamlService.java:428)
>>> >
>>> > at org.keycloak.protocol.saml.SamlService.postBinding(
>>> > SamlService.java:504)
>>> >
>>> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> > Method)
>>> >
>>> > at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> > NativeMethodAccessorImpl.java:62)
>>> >
>>> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> > DelegatingMethodAccessorImpl.java:43)
>>> >
>>> > at java.lang.reflect.Method.invoke(Method.java:498)
>>> >
>>> > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>> > MethodInjectorImpl.java:139)
>>> >
>>> > at org.jboss.resteasy.core.ResourceMethodInvoker.
>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>> >
>>> > at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invoke(
>>> > ResourceMethodInvoker.java:249)
>>> >
>>> > at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>> >
>>> > at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(
>>> > ResourceLocatorInvoker.java:101)
>>> >
>>> > at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(
>>> > SynchronousDispatcher.java:395)
>>> >
>>> > at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(
>>> > SynchronousDispatcher.java:202)
>>> >
>>> > at org.jboss.resteasy.plugins.server.servlet.
>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>> r.java:221)
>>> >
>>> > at org.jboss.resteasy.plugins.server.servlet.
>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >
>>> > at org.jboss.resteasy.plugins.server.servlet.
>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >
>>> > at javax.servlet.http.HttpServlet.service(
>>> > HttpServlet.java:790)
>>> >
>>> > at io.undertow.servlet.handlers.
>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>> >
>>> > at io.undertow.servlet.handlers.
>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >
>>> > at org.keycloak.services.filters.
>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>> > java:90)
>>> >
>>> > at io.undertow.servlet.core.ManagedFilter.doFilter(
>>> > ManagedFilter.java:60)
>>> >
>>> > at io.undertow.servlet.handlers.
>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >
>>> > at io.undertow.servlet.handlers.
>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>> >
>>> > at io.undertow.servlet.handlers.security.
>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>> > java:62)
>>> >
>>> > at io.undertow.servlet.handlers.S
>>> ervletDispatchingHandler.
>>> > handleRequest(ServletDispatchingHandler.java:36)
>>> >
>>> > at org.wildfly.extension.undertow.security.
>>> > SecurityContextAssociationHandler.handleRequest(
>>> > SecurityContextAssociationHandler.java:78)
>>> >
>>> > at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> > at io.undertow.servlet.handlers.security.
>>> > SSLInformationAssociationHandler.handleRequest(
>>> > SSLInformationAssociationHandler.java:131)
>>> >
>>> > at io.undertow.servlet.handlers.security.
>>> > ServletAuthenticationCallHandler.handleRequest(
>>> > ServletAuthenticationCallHandler.java:57)
>>> >
>>> > at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> > at io.undertow.security.handlers.
>>> > AbstractConfidentialityHandler.handleRequest(
>>> > AbstractConfidentialityHandler.java:46)
>>> >
>>> > at io.undertow.servlet.handlers.security.
>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>> > ServletConfidentialityConstraintHandler.java:64)
>>> >
>>> > at io.undertow.security.handlers.
>>> > AuthenticationMechanismsHandler.handleRequest(
>>> > AuthenticationMechanismsHandler.java:60)
>>> >
>>> > at io.undertow.servlet.handlers.security.
>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>> > CachedAuthenticatedSessionHandler.java:77)
>>> >
>>> > at io.undertow.security.handlers.
>>> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
>>> > java:50)
>>> >
>>> > at io.undertow.security.handlers.
>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>> > AbstractSecurityContextAssociationHandler.java:43)
>>> >
>>> > at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> > at org.wildfly.extension.undertow.security.jacc.
>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> >
>>> > at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> > at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> > at io.undertow.servlet.handlers.ServletInitialHandler.
>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>> >
>>> > at io.undertow.servlet.handlers.ServletInitialHandler.
>>> > dispatchRequest(ServletInitialHandler.java:263)
>>> >
>>> > at io.undertow.servlet.handlers.
>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >
>>> > at io.undertow.servlet.handlers.S
>>> ervletInitialHandler$1.
>>> > handleRequest(ServletInitialHandler.java:174)
>>> >
>>> > at io.undertow.server.Connectors.
>>> > executeRootHandler(Connectors.java:202)
>>> >
>>> > at io.undertow.server.HttpServerExchange$1.run(
>>> > HttpServerExchange.java:793)
>>> >
>>> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> > ThreadPoolExecutor.java:1142)
>>> >
>>> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> > ThreadPoolExecutor.java:617)
>>> >
>>> > at java.lang.Thread.run(Thread.java:745)
>>> >
>>> >
>>> >
>>> > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>> > ipAddress=192.168.33.51, error=invalid_signature
>>> >
>>> >
>>> >
>>> > I have verified that the keys on the client match the server. Does the
>>> > XML External Entities have something to do with this?
>>> >
>>> >
>>> >
>>> > Any help is appreciated.
>>> >
>>> >
>>> >
>>> > Thanks,
>>> >
>>> > Bill
>>> >
>>> >
>>> >
>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>> > *To:* Bill Kuntz
>>> > *Cc:* keycloak-user at lists.jboss.org
>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>> >
>>> >
>>> >
>>> > Not sure what they mean about "authentication sequence identical to a
>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>> configurable
>>> > so it should be possible to adapt the SAML configuration for the
>>> client to
>>> > make it work with EZProxy.
>>> >
>>> >
>>> >
>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>> >
>>> > Has anyone successfully used Keycloak with OCLC's EZProxy? We have
>>> been
>>> > experimenting with Keycloak, and have been able to get it working with
>>> > other SPs, but not EZProxy.
>>> >
>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>> > systems if and only if that system uses an authentication sequence
>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>> >
>>> > Thanks,
>>> > Bill
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list