[keycloak-user] SAMLResponse missing InResponseTo
Dmitry Telegin
dt at acutus.pro
Mon Jul 23 18:52:32 EDT 2018
On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> That's a bit too advanced for me. After a few hours spent trying to
> learn how to do remote debugging, I returned to code examination, and
> found the problem!
Glad you've found the answer, and sorry for having mislead you.
Nevertheless, remote debugging is a must-have skill, I hope one day
you'll make use of it and remember this day :)
> I was sending the SAMLRequest to the IdP initiated URL. So
> Keycloak ignored the SAMLRequest in the URL and treated it like an
> IdP initiated login. I should have been sending to
> /{realm}/protocol/saml, not
> /{realm}/protocol/saml/clients/checkmarx .
My bad, it was easy to overlook the suspicious Destination="..." in all
that XML. As the doc says, "SAML tends to be a bit more verbose than
OIDC." (is that "a bit" an irony?) :-D
Cheers and good luck with Keycloak,Dmitry
> On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should
> > have said up front!)
> >
> > First and foremost, could you please try latest Keycloak (4.1.0)?
> > Maybe not upgrading your main instance, but rather installing in
> > parallel. There have been some changes to the SAML subsystem since
> > 3.4.X.
> >
> > > I am familiar with changing logging levels of the running service
> > using the jboss cli, but I don't have the ability to build and step
> > through or set breakpoints. (If it is possible to attach a CLI
> > debugger to a running instance, please let me know! I have root on
> > the host.)
> >
> > Yes, this is possible - just rerun Keycloak with the "--debug"
> > option, it will open a listener on port 8787 (use "--debug <port>"
> > to override).
> >
> > Then forward this port to your box via SSH and use your favorite
> > IDE to attach debugger to localhost:8787 using dt_socket transport
> > (it could be also called "SocketAttach connector"). Also,
> > obviously, you'll need to checkout the source tree.
> >
> > Basically, you'll need to determine which code path Keycloak takes
> > to generate the response, and, after that, try to understand why
> > the attribute is omitted.
> >
> > Good luck!
> > Dmitry
> >
> > >
> > > I doubt this helps, but here is the SAMLResponse from the
> > Request posted previously:
> > > ```
> > > <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi
> > /auth/samlAcs"
> > > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> > IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml
> > :Issuer>;;;
> > > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmlds
> > ig#">;;;
> > > <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-
> > 5f4a0e3ee7bd">
> > > <dsig:Transforms><dsig:Transform Algorithm="http:
> > //www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-
> > c14n#"/></dsig:Transforms><dsig:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > >
> > <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsi
> > g:DigestValue>
> > > </dsig:Reference>
> > > </dsig:SignedInfo>
> > >
> > <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A
> > ==</dsig:SignatureValue>
> > > <dsig:KeyInfo>
> > >
> > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:Key
> > Name>
> > > <dsig:X509Data>
> > >
> > <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATM
> > REwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > </dsig:X509Data>
> > > <dsig:KeyValue>
> > > <dsig:RSAKeyValue>
> > >
> > <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:M
> > odulus>
> > > <dsig:Exponent>AQAB</dsig:Exponent>
> > > </dsig:RSAKeyValue>
> > > </dsig:KeyValue>
> > > </dsig:KeyInfo>
> > > </dsig:Signature>
> > > <samlp:Status><samlp:StatusCode
> > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> > IssueInstant="2018-07-20T23:39:37.055Z"
> > > Version="2.0"
> > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</
> > saml:Issuer>;;;
> > > <saml:Subject>
> > > > <saml:NameID
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chr
> > is.byron at corp.com</saml:NameID>
> > > <saml:SubjectConfirmation
> > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirm
> > ationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > Recipient="https://checkmarx.corp.net/cxrestapi/a
> > uth/samlAcs"/></saml:SubjectConfirmation>;;;
> > > </saml:Subject>
> > > <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> > NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > <saml:AudienceRestriction>
> > > <saml:Audience>https://checkmarx.corp.net</saml:A
> > udience>;;;
> > > </saml:AudienceRestriction>
> > > </saml:Conditions>
> > > <saml:AuthnStatement AuthnInstant="2018-07-
> > 20T23:39:37.055Z"
> > > SessionIndex="3de9fb38-c443-4d9a-a8c2-
> > 26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > <saml:AuthnContext>
> > >
> > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:u
> > nspecified</saml:AuthnContextClassRef>
> > > </saml:AuthnContext>
> > > </saml:AuthnStatement>
> > > <saml:AttributeStatement>
> > > <saml:Attribute FriendlyName="Last name"
> > Name="Last_Name"
> > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance" xsi:type="xs:string">Byron</saml:AttributeValue>
> > > </saml:Attribute>
> > > <saml:Attribute FriendlyName="First name"
> > Name="First_Name"
> > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance" xsi:type="xs:string">Chris</saml:AttributeValue>
> > > </saml:Attribute>
> > > <saml:Attribute FriendlyName="Email" Name="Email"
> > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance"
> > xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > > </saml:Attribute>
> > > </saml:AttributeStatement>
> > > </saml:Assertion>
> > > </samlp:Response>
> > > ```
> > >
> > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > > Hi Chris,
> > > >
> > > > According to the code, an InResponseTo attribute should be
> > added to the response unconditionally:
> > > > https://github.com/keycloak/keycloak/blob/master/saml-core/src/
> > main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Re
> > sponse.java#L168
> > > >
> > > > If you're familiar with debugging, could you please check if
> > this code point is reached? If yes, is the InResponseTo value not
> > null?
> > > >
> > > > Also, which version of Keycloak are you using?
> > > >
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >
> > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > Good morning. I'm trying to debug an issue where my Keycloak
> > IdP does not
> > > > > include an InResponseTo attribute in the SAMLResponse after
> > an SP-initiated
> > > > > login. Are there certain conditions in the Request that need
> > to be
> > > > > satisfied before it will be included? Or certain client
> > configurations in
> > > > > Keycloak?
> > > > >
> > > > > The SAMLRequest from the SP:
> > > > > ```
> > > > > <saml2p:AuthnRequest
> > > > > AssertionConsumerServiceURL="
> > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > AttributeConsumingServiceIndex="0"
> > > > > Destination="
> > > > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clien
> > ts/checkmarx"
> > > > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>
> > ;;;;
> > > > > </saml2p:AuthnRequest>
> > > > > ```
> > > > >
> > > > > Keycloak client configuration:
> > > > > ```
> > > > > {
> > > > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > "clientId": "https://checkmarx.corp.net",
> > > > > "rootUrl": "",
> > > > > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/sa
> > mlAcs",
> > > > > "baseUrl":
> > "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > "surrogateAuthRequired": false,
> > > > > "enabled": true,
> > > > > "clientAuthenticatorType": "client-secret",
> > > > > "redirectUris": [],
> > > > > "webOrigins": [],
> > > > > "notBefore": 0,
> > > > > "bearerOnly": false,
> > > > > "consentRequired": false,
> > > > > "standardFlowEnabled": true,
> > > > > "implicitFlowEnabled": false,
> > > > > "directAccessGrantsEnabled": false,
> > > > > "serviceAccountsEnabled": false,
> > > > > "authorizationServicesEnabled": false,
> > > > > "publicClient": false,
> > > > > "frontchannelLogout": true,
> > > > > "protocol": "saml",
> > > > > "attributes": {
> > > > > "saml.assertion.signature": "false",
> > > > > "saml.force.post.binding": "true",
> > > > > "saml.multivalued.roles": "false",
> > > > > "saml.encrypt": "false",
> > > > > "saml.server.signature": "true",
> > > > > "saml_idp_initiated_sso_url_name": "checkmarx",
> > > > > "saml.server.signature.keyinfo.ext": "false",
> > > > > "saml.signature.algorithm": "RSA_SHA256",
> > > > > "saml_force_name_id_format": "false",
> > > > > "saml.client.signature": "false",
> > > > > "saml.authnstatement": "true",
> > > > > "saml_name_id_format": "email",
> > > > > "saml.onetimeuse.condition": "false",
> > > > > "saml_signature_canonicalization_method": "
> > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > >
> > "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer"
> > :
> > > > > "KEY_ID"
> > > > > },
> > > > > "fullScopeAllowed": false,
> > > > > "nodeReRegistrationTimeout": -1,
> > > > > "useTemplateConfig": false,
> > > > > "useTemplateScope": false,
> > > > > "useTemplateMappers": false,
> > > > > "access": {
> > > > > "view": true,
> > > > > "configure": true,
> > > > > "manage": true
> > > > > }
> > > > > ```
> > > > >
> > > > > Thank you for any help or advice on this! Cheers,
> > > > > Chris Byron
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> >
More information about the keycloak-user
mailing list