[keycloak-user] Problem with SAML 2.0 IDP and direct grant

Thu Aug 16 11:15:24 EDT 2018

Hello keycloak users,

we are a company developing erp-software and want to use keycloak for our SSO server. I will shortly explain our given scenario:

We have our application running on a wildflyserver protected with keycloak adapter in the standalone xml. The keycloak authentification server is running in an other wildfly. Opening our application in the browser, redirecting to keycloak server and singing in is working fine. Now the IDP comes into play. We want to authenticate at the IDP and redirect over the keycloak server directly to our application without a second authentication at the keycloak server. My understanding is to use direct grant as first login flow to get a direct redirect to our application. The idp is a server from one of our customers and we are communicating over saml 2.0. Now the idp is sending a saml response and the keycloak server is responding the following output: {"error":"invalid_request","error_description":"Missing parameter: username"}

The username is located in the field urn:oid:0.9.2342.19200300.100.1.1. So why can't keycloak get the username and redirect to our application?

The decoded SAML response looks like this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0495d5494150cf6d61dd4421a2c04efcf084c5e438" Version="2.0" IssueInstant="2018-08-16T13:26:42Z" Destination="http://qvswm-50-cs2std:20000/auth/realms/saml20-broker-authentication-realm/broker/saml20-identity-provider/endpoint" InResponseTo="ID_67b3a98b-22b7-4fb3-bccf-32f9e5ee3884"><saml:Issuer>idm.ekir.de</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#_0495d5494150cf6d61dd4421a2c04efcf084c5e438"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>D3xmrXVhSRsQxhxJhrqg1WPKlmo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OWelDbxd2wFMclqWSw6Vyn4Xm++ykDq10tDAWZtpTJXAqbcJGYvJ1oyuk7bJi7Q47R9O5CNTuFcQQIXv45J+ux4QUnGlPIosn2RjAVIX/T87Z0nVkbSfMYfkj7t/0Ol81jaH0l3q2fbLLboCXvsi7EiyZfiUTxh778zUMjphF5W19JyLdMpx3iXBptgRFOof6mJdz129SzrnlygM0EJuVbYdQLY/5YFvOqx0Ty7kubG85lKERxYbCD31w3/T/Ij0FSU/VWrhPws0qZrNiLHNfdUY0YsdT0yIP0qiHWpGovHYM3nCJJh1/XjyzD191F2gTDZXVPjGMEriFUQ0aJSrnA==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEMzCCAxugAwIBAgIJAJ5hbfqjs7JMMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTAeFw0xNjA0MjAxNTAxNDdaFw0zNjA0MjAxNTAxNDdaMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFv9eW8oqkBqaQzsguz0g9OnCCNOCrIuLNWjEC1Vjb8M3pLgWKt0obvm8BtgcAOSPSJpkFsjgCwiRsymk0yOKhnPhCLrEjqDMCAWLywO5K/H5SvrBc77PCSJRT0ciCdLOonvXzxEn40YEZSwjo+vqyiWt/gLfdeFtcuc8N2nZsZKdIR5V0wwD+ZSQCLNc7bnnw85tZvf6rtxHn6eo6IqzIcYzXyFSIaO0Lrh8ZN+oj9E1YW210+hNJqWb5+/VM4IpZ3jPzgSHqcyA7PxVRMEpWYBuyPNcvGR0tkqwXew51OarUxuiyyx4kTs5wZe+h4MZExnUty2wiJYyyHjpUYBK8CAwEAAaOB0zCB0DAdBgNVHQ4EFgQUr++yKews/ztiL2MslG+rTjImjAkwgaAGA1UdIwSBmDCBlYAUr++yKews/ztiL2MslG+rTjImjAmhcqRwMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZYIJAJ5hbfqjs7JMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAObYr07VN0dtR3QUwLNq/xii154BIa1jDgvDEgSlf3Em161pXKU+/8hvHpwQFSp4w82GtiU8gYxiRVpBR02xa0PQ9d6dWRqhVtAzJloQQWIfiH75K97VLqOt77IPTuxIry84KztPnCUKxSSYyBBZ/tlJtSdAT2ce+imFHJxnSIucJoCB7gWNI3S6IoOlN3HwNmAT2BXoXXEpFsQdFEUTnOGcmxTtXh5Mqt0v3aJv3lcITHqazIGCPuPC4sbB0iuU6eRqvUXUED6Bn7JuEZmYaZ1H5sxzHu06xa+smDDGE15UXns5CB0BlaP2r8LckcRjOsPnAzKmp3Zr6uvD/+K7Ps=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_2f00bcc88e72b831d12c3bd2cde89885036b8034ba" Version="2.0" IssueInstant="2018-08-16T13:26:42Z"><saml:Issuer>idm.ekir.de</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#_2f00bcc88e72b1d12c3bd2cd885036b8034ba"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>lGcsEgEI/9gDZnc+7tbiVHKA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>CztzEHTsWNzwKhkykPdsUP5OcXJJCy7O0VqTW+8vBsbQMg92z4QhX/yX+NvXrMS6/AaBhXS9YIsDxqp8LMqN9XHCEo+ZR2EKVZwAY005x2PxtTMoF6f+43ItekGdPscm28TyjXvh5OM5WSgux1Jx1UhMpoSqhZHTRT72KK+yEkOUwjCaqNBces4yrlgRty97HN0cyAxu+0t+3AYOujENhYbSFbiNvFUwkwcRJEAXeitkJttAGtmJ3ZBa/yhkITW2YwIjRpPw8vZHqpwDtdbjgZLFs2vSzBT4VrDQkQHvmQ+wnQEu9MFZiqT4w53OMtmvgbtM612NWouoCrs+VmGBAg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEMzCCAxugAwIBAgIJAJ5hbs7JMMA0GCSqGSIb3DQEBBQUG4xCzAJBgBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTAeFw0xNjA0MjAxNTAxNDdaFw0zNjA0MjAxNTAxNDdaMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFv9eW8oqkBqaQzsguz0g9OnCCNOCrIuLNWjEC1Vjb8M3pLgWKt0obvm8BtgcAOSPSJpkFsjgCwiRsymk0yOKhnPhCLrEjqDMCAWLywO5K/H5SvrBc77PCSJRT0ciCdLOonvXzxEn40YEZSwjo+vqyiWt/gLfdeFtcuc8N2nZsZKdIR5V0wwD+ZSQCLNc7bnnw85tZvf6rtxHn6eo6IqzIcYzXyFSIaO0Lrh8ZN+oj9E1YW210+hNJqWb5+/VM4IpZ3jPzgSHqcyA7PxVRMEpWYBuyPNcvGR0tkqwXew51OarUxuiyyx4kTs5wZe+h4MZExnUty2wiJYyyHjpUYBK8CAwEAAaOB0zCB0DAdBgNVHQ4EFgQUr++yKews/ztiL2MslG+rTjImjAkwgaAGA1UdIwSBmDCBlYAUr++yKews/ztiL2MslG+rTjImjAmhcqRwMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZYIJAJ5hbfqjs7JMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAObYr07VN0dtR3QUwLNq/xii154BIa1jDgvDEgSlf3Em161pXKU+/8hvHpwQFSp4w82GtiU8gYxiRVpBR02xa0PQ9d6dWRqhVtAzJloQQWIfiH75K97VLqOt77IPTuxIry84KztPnCUKxSSYyBBZ/tlJtSdAT2ce+imFHJxnSIucJoCB7gWNI3S6IoOlN3HwNmAT2BXoXXEpFsQdFEUTnOGcmxTtXh5Mqt0v3aJv3lcITHqazIGCPuPC4sbB0iuU6eRqvUXUED6Bn7JuEZmYaZ1H5sxzHu06xa+smDDGE15UXns5CB0BlaP2r8LckcRjOsPnAzKmp3Zr6uvD/+K7Ps=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://qvswm-50-cs2std:20000/auth/realms/saml20-broker-authentication-realm" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">94fbf27f692f840a63ea08a0eb8153ec86d022ea</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-08-16T13:31:42Z" Recipient="xxxxx" InResponseTo="ID_67b3a98b-22b7-4fb3-bccf-32f9e5ee3884"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-08-16T13:26:12Z" NotOnOrAfter="2018-08-16T13:31:42Z"><saml:AudienceRestriction><saml:Audience>http://qvswm-50-cs2std:20000/auth/realms/saml20-broker-authentication-realm</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2018-08-16T13:26:42Z" SessionNotOnOrAfter="2018-08-17T13:26:42Z" SessionIndex="_4e34b8713e382904ca49318f0ed93f44032b19f297"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">test2.syn</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">syn</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">test2.syn at ek.de</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">test2</saml:AttributeValue></saml:Attribute><saml:Attribute Name="mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string"></saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string"></saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

I would appreciate to get some help from the community.

Mit freundlichen Grüßen/Best regards

Alexander Vollertsen
Systementwickler | System Developer
Systementwicklung | System Development

Phone: +49 731 9650-373 | Fax:
Email: Alexander.Vollertsen at wilken.de | Web: www.wilken.de
[Bestätigung der Daten]<http://www.wilken.de/datenschutz/dsgvo/>
Wilken GmbH
Hörvelsinger Weg 29-31
89081 Ulm, Germany

Sitz der Gesellschaft: Ulm
Amtsgericht Ulm: HRB 794
Geschäftsführer: Folkert Wilken, Peter Heinz, Dr. Jörg Vogt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 118486 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/3f434596/attachment-0001.png 