[keycloak-user] SAML doesn't work when logging in through Identity Providers

[Drew Weirshousky]

Hi Kristi,

  I believe there are some fixes coming for SAML in Keycloak 4.0 related to this.  I am assuming you are using Keycloak > 3.2.

Drew Weirshousky

----- Original Message -----
From: "Kristi Nikolla" <knikolla at bu.edu>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Tuesday, February 6, 2018 1:26:14 PM
Subject: [keycloak-user] SAML doesn't work when logging in through Identity	Providers

Hi,

I’ve recently setup Keycloak for SSO in our organization. I’m using two docker containers in standalone-ha with Apache as a proxy. I’ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients.

The issue is when using a SAML client.

Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method.

It doesn’t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.” The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak.

The only thing that I see in the logs is:
21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code

Even turning on debug logging doesn’t provide anything useful.

Thank you,
Kristi Nikolla

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user