[keycloak-user] SAML 2.0 Broker Kickoff - Config Issue or Bug?

Josh Cain jcain at redhat.com
Wed Oct 24 16:48:49 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

I'm trying to drop into a SAML 2.0 brokered flow, and I can't seem to
get Keycloak to kick if off right.  Here's what I'm doing:

 1) Setting up a third-party IDP as an Identity Provider by importing
SAML 2.0 metadata.
 2) Attempting a standard login flow against a client, then clicking
the newly added identity provider on the login screen.
 3) Watch, as Keycloak gives me an "Invalid Request" error message

After looking under the hood, I can see that it's fussing about not
having a ClientID:

[2018-10-24 20:12:41,591+0000] DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-
61) Invalid request. Authorization code, clientId or tabId was null.
Code=IugzCrTYU0xfZ_sLF1prPRTZC5WsR9-F3HrDyCUegLE, clientId=null,
tabID=vPZ0M6-0eao

I also just attempted with a Github provider, and encountered the same
issue.  Not sure what's going on, as the IdentityProviderBean doesn't
use the clientId (as I'd imagine it shouldn't?) when constructing the
provider urls, seems strange that it would be required:

String loginUrl = Urls.identityProviderAuthnRequest(baseURI,
identityProvider.getAlias(), realm.getName()).toString();

Sooo... can someone help me figure out what I'm doing wrong here?  I'm
guessing user error is the problem here (otherwise, alot of brokering
would be busted).  Thanks!

- -- 
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAlvQ2rEACgkQrGNtyYPQ
wPhVPhAApyIVMKeGMfGsMr2HNeNIngfG91posPwGWoNWUjy8ZD6dBXgM8qbUnIgr
SC9i43Kde6EyANNA1dy5Wh45xCX3SlyFm4Pet5IvoxRa1/+hx8OEGMW0R9hfNm33
36ZyrbJtZtowtXJzZklATxAoT5yuzZe+tLmEn3edj9rSV3U6LfRrrFbGHkq+qPp6
rsN5/BkBemP1aQH/ssw/lX137js83B8XELfXvfkf53AIZWDTS5v2ssSR5eUOu+bc
15vzg9uWJtmhi7hr2Ws9StKVWARttnjR0Q0gXf4Fy4IqCEK4TfTZhDmv60wNfUsR
B1S6OGcxNjzmjbtvwqSxEAxGt/Ll9SLTJLVMbddpIIWmPJs0edhz8pr3etYOFtQr
LriHg4iBZ/CTdMBI47oYHbg/uc0XFtbLQ3RnZ8GmOwq9b4BvxJ8rNiHWhdACW4MN
Gi5EUHn6kfXDRs/WVGFJ5LFQgBDEMwbCpoBtXBoZisC8KJZCKVDe1fcw90U256iF
o1+pWZiJtq7/VfohKFMOeQJ79lym5VieAgVB7TwoITNWKYKL4gVVuEi6pcAhrdNd
fVy2f4dS1qqN8Meq04iCMejpDI8zU+XLv6HEkWqxVgyvULDJA56o4Fpsc7KtIq07
UzxpmQ34FoGXz8JwlMjCVT6ZJ4X8BHYAf8KRkKWSNO3fgubnWN0=
=y2UI
-----END PGP SIGNATURE-----

More information about the keycloak-user mailing list