[keycloak-user] SAML 2.0 Broker Kickoff - Config Issue or Bug?

Josh Cain jcain at redhat.com
Wed Oct 24 18:02:52 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OK... figured it out.  Turns out if I'm using an idp-initiated flow
(I.E. hitting the keycloak URL for that SAML client), then that field
is blank.

I've got the docs[1] on how to configure this flow.  Thanks for being
my rubber duck keycloak-user list.

[1] 
https://www.keycloak.org/docs/2.5/server_admin/topics/clients/saml/idp-initiated-login.html#_identity_broker

On Wed, 2018-10-24 at 15:48 -0500, Josh Cain wrote:
> Hi all,
> 
> I'm trying to drop into a SAML 2.0 brokered flow, and I can't seem to
> get Keycloak to kick if off right.  Here's what I'm doing:
> 
>  1) Setting up a third-party IDP as an Identity Provider by importing
> SAML 2.0 metadata.
>  2) Attempting a standard login flow against a client, then clicking
> the newly added identity provider on the login screen.
>  3) Watch, as Keycloak gives me an "Invalid Request" error message
> 
> After looking under the hood, I can see that it's fussing about not
> having a ClientID:
> 
> [2018-10-24 20:12:41,591+0000] DEBUG
> [org.keycloak.services.resources.IdentityBrokerService] (default
> task-
> 61) Invalid request. Authorization code, clientId or tabId was null.
> Code=IugzCrTYU0xfZ_sLF1prPRTZC5WsR9-F3HrDyCUegLE, clientId=null,
> tabID=vPZ0M6-0eao
> 
> I also just attempted with a Github provider, and encountered the
> same
> issue.  Not sure what's going on, as the IdentityProviderBean doesn't
> use the clientId (as I'd imagine it shouldn't?) when constructing the
> provider urls, seems strange that it would be required:
> 
> String loginUrl = Urls.identityProviderAuthnRequest(baseURI,
> identityProvider.getAlias(), realm.getName()).toString();
> 
> Sooo... can someone help me figure out what I'm doing wrong
> here?  I'm
> guessing user error is the problem here (otherwise, alot of brokering
> would be busted).  Thanks!
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAlvQ7AwACgkQrGNtyYPQ
wPhxlA//UXG5Xqc9xsn9XlKb/C3HNXxSi3cBhrSETDfRkEsv6WS2Ka/htzNC+xJ1
YqRXiCKGeqAUuNoQZ+t0gpC/PB2KM3Z2VWFjv7HFl4KFiRsuyWffpCzL2xKy8gYs
wqnnMcTlaOIYALyijrC5zlucd+2ZgU7c5eo+260D2L8IyKuRHHItkYzDUXLlitRO
5ivt+heJXP0WlX/jDSGyGeBR9rcUuxggxVt79Nd7tAuTa7Fn4iYUyKCMXWpPSFFN
4KDZpKGEp46anyoyCl0Y8+qJRTMiw7rHSU0FSJwQj9V6oeZkX0duwp9Z7yEYy0nH
Av7MYBWBZ+Ga+Bkda4WoLMG6L8qvFhiVxHHaHKAfDvNTNY5WOrUGvs4sMQc1oidk
o4rGVZ1PWjr4vP8/OKNNUJS55zFt0vxmnNsjg45dE6Y5PlsjZ4Wq/BuwhHW5NstE
0h7UtOSaVFDcJGPb4Zvk2unWuKEPE1OVB9cKYp+ehKMt9M6/F148D6KUDceiEKrg
7Y6qGfclgnaPM7xDY5KlObsBYS1BLA0CbbhOHahj/FIIsjdq2lNNOU2PfpBbEFmh
ZRkBX2n8HoucTMzInabbGQOBmm8lDPgO0DsCulwWCDKMT8HJKMhOFYFHcjP7DWpM
nt47EBtX/B2Y95M1YGQPQdUWk+gqBmc3fGa2b1dw8IyEIqY3w/8=
=Mmn2
-----END PGP SIGNATURE-----

More information about the keycloak-user mailing list