[keycloak-user] Keycloak as SAML Service Provider problem

Hynek Mlnarik hmlnarik at redhat.com
Tue Nov 14 05:34:12 EST 2017 

It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.

--Hynek

On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky at xsb.com>
wrote:

> Hi,
>   I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP.  I am
> trying to initiate login from Okta.  After the initial user registration
> keycloak seems to fail while validating the signature on one of the SAML
> Responses.  The error in the browser is invalidFederatedIdentityActionMessage
> and the stack trace is below.
>
> 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-18) validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
>         at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:83)
>         at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
> verifySignature(SAMLEndpoint.java:533)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.
> handleSamlResponse(SAMLEndpoint.java:471)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:239)
>         at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:159)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>
> The X509 certificate is the same on both ends.  Am I missing a
> configuration setting some place else?  Any help would be apprectated.
> Some googling brings up some old bugs but I believe they are all fixed in
> 3.2.1.
>
> Thanks
> Drew Weirshousky
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

More information about the keycloak-user mailing list