[keycloak-user] SAMLResponse missing InResponseTo

Dmitry Telegin dt at acutus.pro
Mon Jul 23 12:53:35 EDT 2018


On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said up front!)

First and foremost, could you please try latest Keycloak (4.1.0)? Maybe not upgrading your main instance, but rather installing in parallel. There have been some changes to the SAML subsystem since 3.4.X.

> I am familiar with changing logging levels of the running service using the jboss cli, but I don't have the ability to build and step through or set breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let me know! I have root on the host.)

Yes, this is possible - just rerun Keycloak with the "--debug" option, it will open a listener on port 8787 (use "--debug <port>" to override).

Then forward this port to your box via SSH and use your favorite IDE to attach debugger to localhost:8787 using dt_socket transport (it could be also called "SocketAttach connector"). Also, obviously, you'll need to checkout the source tree.

Basically, you'll need to determine which code path Keycloak takes to generate the response, and, after that, try to understand why the attribute is omitted.

Good luck!
Dmitry

> 
> I doubt this helps, but here is the SAMLResponse from the Request posted previously:
> ```
> <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
>     ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd" IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>     <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;
> >     <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
>         <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>             <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
>                 <dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>                 <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
>             </dsig:Reference>
>         </dsig:SignedInfo>
>         <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
>         <dsig:KeyInfo>
>             <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
>             <dsig:X509Data>
>                 <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
>             </dsig:X509Data>
>             <dsig:KeyValue>
>                 <dsig:RSAKeyValue>
>                     <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
>                     <dsig:Exponent>AQAB</dsig:Exponent>
>                 </dsig:RSAKeyValue>
>             </dsig:KeyValue>
>         </dsig:KeyInfo>
>     </dsig:Signature>
>     <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
>     <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046" IssueInstant="2018-07-20T23:39:37.055Z"
>         Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>         <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;
>         <saml:Subject>
> >             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chris.byron at corp.com</saml:NameID>
>             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
>                 Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"/></saml:SubjectConfirmation>;
>         </saml:Subject>
>         <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z" NotOnOrAfter="2018-07-20T23:40:35.055Z">
>             <saml:AudienceRestriction>
>                 <saml:Audience>https://checkmarx.corp.net</saml:Audience>;
>             </saml:AudienceRestriction>
>         </saml:Conditions>
>         <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
>             SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
>             <saml:AuthnContext>
>                 <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
>             </saml:AuthnContext>
>         </saml:AuthnStatement>
>         <saml:AttributeStatement>
>             <saml:Attribute FriendlyName="Last name" Name="Last_Name"
>                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Byron</saml:AttributeValue>
>             </saml:Attribute>
>             <saml:Attribute FriendlyName="First name" Name="First_Name"
>                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Chris</saml:AttributeValue>
>             </saml:Attribute>
>             <saml:Attribute FriendlyName="Email" Name="Email"
>                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
>             </saml:Attribute>
>         </saml:AttributeStatement>
>     </saml:Assertion>
> </samlp:Response>
> ```
> 
> > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Chris,
> > 
> > According to the code, an InResponseTo attribute should be added to the response unconditionally:
> > https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > 
> > If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?
> > 
> > Also, which version of Keycloak are you using?
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > > include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> > > login. Are there certain conditions in the Request that need to be
> > > satisfied before it will be included? Or certain client configurations in
> > > Keycloak?
> > > 
> > > The SAMLRequest from the SP:
> > > ```
> > > <saml2p:AuthnRequest
> > >   AssertionConsumerServiceURL="
> > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > >   AttributeConsumingServiceIndex="0"
> > >   Destination="
> > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > >   ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > >   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;
> > > </saml2p:AuthnRequest>
> > > ```
> > > 
> > > Keycloak client configuration:
> > > ```
> > > {
> > >   "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > >   "clientId": "https://checkmarx.corp.net",
> > >   "rootUrl": "",
> > > >   "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > >   "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > >   "surrogateAuthRequired": false,
> > >   "enabled": true,
> > >   "clientAuthenticatorType": "client-secret",
> > >   "redirectUris": [],
> > >   "webOrigins": [],
> > >   "notBefore": 0,
> > >   "bearerOnly": false,
> > >   "consentRequired": false,
> > >   "standardFlowEnabled": true,
> > >   "implicitFlowEnabled": false,
> > >   "directAccessGrantsEnabled": false,
> > >   "serviceAccountsEnabled": false,
> > >   "authorizationServicesEnabled": false,
> > >   "publicClient": false,
> > >   "frontchannelLogout": true,
> > >   "protocol": "saml",
> > >   "attributes": {
> > >     "saml.assertion.signature": "false",
> > >     "saml.force.post.binding": "true",
> > >     "saml.multivalued.roles": "false",
> > >     "saml.encrypt": "false",
> > >     "saml.server.signature": "true",
> > >     "saml_idp_initiated_sso_url_name": "checkmarx",
> > >     "saml.server.signature.keyinfo.ext": "false",
> > >     "saml.signature.algorithm": "RSA_SHA256",
> > >     "saml_force_name_id_format": "false",
> > >     "saml.client.signature": "false",
> > >     "saml.authnstatement": "true",
> > >     "saml_name_id_format": "email",
> > >     "saml.onetimeuse.condition": "false",
> > >     "saml_signature_canonicalization_method": "
> > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > >     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > "KEY_ID"
> > >   },
> > >   "fullScopeAllowed": false,
> > >   "nodeReRegistrationTimeout": -1,
> > >   "useTemplateConfig": false,
> > >   "useTemplateScope": false,
> > >   "useTemplateMappers": false,
> > >   "access": {
> > >     "view": true,
> > >     "configure": true,
> > >     "manage": true
> > >   }
> > > ```
> > > 
> > > Thank you for any help or advice on this! Cheers,
> > > Chris Byron
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 


More information about the keycloak-user mailing list