[keycloak-user] invalid_token with SAML HTTP redirect binding
Emanuele Faranda
faranda at ntop.org
Mon Jun 18 17:53:36 EDT 2018
Hello,
I'm trying to implement SAML authentication with the help of keycloak,
but I cannot make it work.
I'm running keycloak 4.0.0.Final as a standalone server distribution on
ubuntu 16.04 .
I've configured a new SAML identity provider from the "Identity
Providers" menu by filling in only the required fields.
From command line, I'm sending the following request to my keycloak
instance:
curl
http://192.168.2.165:8080/auth/realms/master/broker/saml/endpoint?SAMLRequest=Zc6xCsIwEIDhVwm3tyYplnK0hYJLQBcVBxeJJWAhudRcAuLTK67O%2Fzf8PdvgV5xKftDRPYvjLMxugJu9z0o3%2FGYQr%2BCJ8QcHKIkwWl4YyQbHmGc8TYc96lrimmKOc%2FQgDHNxhjhbygNoqbpKtpXqzqrFZotaXUFcXOIl0jfXEsZ%2B838yfgA%3D
where the SAMLRequest parameter value is the url_encode of
base64+deflate (generated from https://www.samltool.com/encode.php) of
the following SAML request:
<samlp:AuthnRequest ID="_abc123szs"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest>
Keycloak returns "Invalid Request" in the HTML reply. I've enabled
verbose debugging and this is the trace:
23:11:11,462 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-4) RESTEASY002315: PathInfo: /realms/master/broker/saml/endpoint
23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-4) SAML Redirect Binding
23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-4) <samlp:AuthnRequest ID="_abc123szs"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest>
23:11:11,471 WARN [org.keycloak.events] (default task-4)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.2.221, error=invalid_token
The debug trace shows that the request is decoded properly, but I get
the "invalid_token" warning. If I redirect an HTTP client via a 302
request to the url above I get the same "Invalid Request" and inability
to proceed with login.
I've also tried with different sample SAML requests XML, but the result
are the same. Do you have any clue?
Regards,
Emanuele
More information about the keycloak-user
mailing list