[keycloak-user] Unable to process SAML response from Azure AD

Luis Rodríguez Fernández uo67113 at gmail.com
Wed May 16 06:00:19 EDT 2018 

Hello David,

Me, in your <samlp:Response> I am missing a couple of attributes:

Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"

Probably "consent" one is not causing the issue, but "inresponseto"
contains the id of the AuthRequest sent by keycloak, and maybe keycloak
wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to
yours BTW). You can have a look here to one of the ADFS2 responses:
https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis















2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com>:

> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the
> redirect back after auth, Keycloak is failing to process the response and
> generates an internal server error:
>
> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException:
> Could not process response from SAML identity provider.
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> SAMLEndpoint.java:444)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
> SAMLEndpoint.java:479)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:237)
> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:157)
> .
> .
> .
> Caused by: java.lang.NullPointerException
> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
> at java.util.regex.Matcher.reset(Matcher.java:309)
> at java.util.regex.Matcher.<init>(Matcher.java:229)
> at java.util.regex.Pattern.matcher(Pattern.java:1093)
> at java.util.regex.Pattern.split(Pattern.java:1206)
> at org.keycloak.broker.provider.util.IdentityBrokerState.
> encoded(IdentityBrokerState.java:41)
> at org.keycloak.services.resources.IdentityBrokerService.
> parseEncodedSessionCode(IdentityBrokerService.java:980)
> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
> IdentityBrokerService.java:490)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> SAMLEndpoint.java:440)
> ... 63 more
>
> I’ve posted the SAML response at https://gist.github.com/dieseldjango/
> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
> 72057b7df68dbe3dc289ec8e3f5826bf>.
>
> The stack trace indicates it’s failing at IdentityBrokerService.parseEncodedSessionCode().
> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point
> me in the right direction to solve this?
>
> Thanks,
> David
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list