[keycloak-user] Testing SAML Identity Brokering

Fri Oct 12 11:47:52 EDT 2018

Dmitry,

This is great!  I was able to finally see a working SAML identity broker
and I can therefore, start to understand how it works.

One other question: I understand how to provide a "hint" about which
identity provider to use when initiating login from my client application.
Is there a way to "start" login at the SAML service and have it redirect
back to Keycloak or must the login processing always start at Keycloak?

Thanks again,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

On Fri, Oct 12, 2018 at 7:50 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Craig,
>
> On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote:
> > I'm attempting to set up a test of identity brokering all within a single
> > Keycloak server.  I have two realms set up.  The "saml-demo" realm is set
> > up with a SAML client.  I've exported the SAML definition from that
> client
> > and imported it into the Identity Brokering for the second realm.
>
> In the brokering scenario, your webapp should remain the client of the
> saml-demo realm, and this realm itself should become a client of another
> realm. This is how brokering actually works.
>
> Let's assume there are realms "foo" and "bar", and the former should
> broker to the latter. The exact steps are:
> 1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider;
> 2. Scroll down to "Import from URL", enter the following:
> http://
> <your-keycloak-host>:<port>/auth/realms/bar/protocol/saml/descriptor
> (replace "bar" with the actual name of your second realm)
> 3. Go to Export tab, save EntityDescriptor XML;
> 4. Go to "bar" realm -> Clients, create one, import the XML from the
> previous step, provide some meaningful name;
> 5. Create some users in "bar".
>
> After that, try accessing your SAML client. You'll be presented with the
> Keycloak login screen where you'll be able to either authenticate against
> "saml-demo", or to choose another realm.
>
> Some notes:
> - you can avoid first login screen and redirect automatically to the
> second realm, using custom authentication flow with IDP redirector + flow
> override at the client level;
> - upon the first brokered login, the user will be presented with the
> Update account details screen. If you want to bypass that, you can enable
> identity auto-linking.
> It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski:
> https://issues.jboss.org/browse/KEYCLOAK-7270
> For KC <4.5.0, you can use this:
> https://github.com/ohioit/keycloak-link-idp-with-user
>
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> > Unfortunately, I can't seem to get to the login page of the "saml-demo"
> > when navigating from the second realm.  When I click on the identity
> broker
> > realm link, I'm seeing the following in the logs:
> >
> > keycloak_1  | Caused by: java.security.SignatureException: Signature
> length
> > not correct: got 256 but was expecting 128
> > keycloak_1  |     at
> > sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
> > keycloak_1  |     at
> > java.security.Signature$Delegate.engineVerify(Signature.java:1222)
> > keycloak_1  |     at java.security.Signature.verify(Signature.java:655)
> > keycloak_1  |     at
> >
> org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236)
> >
> > I've turned up logging for all of the Keycloak SAML functionality as well
> > as for java.security.  However, I'm struggling to figure out where the
> > mismatch is located in the configuration and not quite sure where to even
> > look.
> >
> > Can anyone offer suggestions on how to go about setting this up or
> > troubleshooting what I'm doing?
> >
> > Thanks,
> > Craig
> >
> > =================================
> > *Craig Setera*
> >
> > *Chief Technology Officer*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>