[keycloak-user] WG: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker

Dmitry Telegin dt at acutus.pro
Mon Dec 10 17:16:00 EST 2018 

Hello Manuel, sorry for late response,

You did almost everything right, except for a couple of things:
- You generally don't need to modify ACS URL inside your SPSSODescriptor while importing it into a 3rd party IdP (samltest.id in your case). This is unless you want an IdP-initiated SSO, in which case you should follow the doc [1] (paragraph beginning with "When using identity brokering"). I'd rather suggest that you have SP-initiated SSO working first, which doesn't require any tweaking to SP metadata;
- You shouldn't override client's ACS URL. The ACS of a client and the ACS of Keycloak facing 3rd party IdP are different things. Trying to substitute one for another you will create a loopback. (Probably you did that "in accordance" with the aforementioned paragraph, but it can be a bit misleading since it describes the process as if Keycloak were your 3rd party IdP, not samltest.id.)

With the above, I suggest that you recreate your samltest.id IdP in Keycloak, import metadata from https://samltest.id/saml/idp, then go to Export tab and transfer the metadata verbatim to samltest.id. Second, undo any ACS URL modifications you've made to the client settings. After that, you should be able to access your application and sign in via samltest IdP.

[1] https://www.keycloak.org/docs/latest/server_admin/#idp-initiated-login

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-12-10 at 18:12 +0000, Manuel Waltschek wrote:
> Hello,
> 
> I am sorry but am resending this because I got ignored for the third time now and I just can't figure out what to do.
> 
> If you cannot help me on this one, please give me a step by step explanation how to configure an application as a service provider to authenticate against an external SAML idp (with keycloak IdP broker) since I cannot figure it out with the latest documentation.
> 
> Thank you,
> 
> Manuel
> 
> Von: Manuel Waltschek
> Gesendet: Freitag, 07. Dezember 2018 17:34
> > > An: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
> 
> Hello there,
> 
> I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP (external IdP) and I want my application to authenticate against this external IdP.
> I imported the IdP Metadata of samltest into my IdP settings and exported following SP descriptor into IdP of samltest:
> 
> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp">;
>     <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
>             protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">;
>         <KeyDescriptor use="signing">
>           <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
>             <dsig:KeyName>Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY</dsig:KeyName>
>             <dsig:X509Data>
>               <dsig:X509Certificate>MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=</dsig:X5!
>  09Certificate>
>             </dsig:X509Data>
>           </dsig:KeyInfo>
>         </KeyDescriptor>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"/>;
>         <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>         </NameIDFormat>
>         <AssertionConsumerService
>                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol"
>                 index="1" isDefault="true" />
>     </SPSSODescriptor>
> </EntityDescriptor>
> 
> While "vde-tirol" is the client-id configured in my client and the ACS-url is the one I configured Fine Grain SAML Endpoint Configuration of my client.
> 
> After I try to access a protected ressource I get redirected to a page of samltest telling me there went something wrong and I detected that the authnrequest sent from my IdP broker did not have the ACS-url http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol
> 
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint" Destination="https://samltest.id/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="ID_86bcd6f8-2a66-4151-bfa1-35ad5cf5550b" IsPassive="false" IssueInstant="2018-12-07T16:08:26.742Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
>                 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer<http://localhost:8180/auth/realms/prisma-keycloak-saml-idp%3c/saml:Issuer>>;
>                 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
> </samlp:AuthnRequest>
> 
> I get the following Error from openSAML:
> 
> Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol' nor response location 'null' matched 'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint'
> 
> Do you have a clue what went wrong? Is this intended behaviour, that the AssertionConsumerServiceURL in the AuthnRequest does not match?
> 
> Thank you in advance,
> 
> Manuel Waltschek
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list