[keycloak-user] Keycloak non-interactive SAML login

Wed Jan 23 17:52:15 EST 2019

Thanks Dmitry

Ironically we started down the hidden iframe route last week and felt there
must be a better solution! Clearly not, so we’ll head back down that avenue.

Thanks for your help.

Tom

On 23 January 2019 at 22:29:14, Dmitry Telegin (dt at acutus.pro) wrote:

Hi,

This message in the logs can be misleading since it reports the
delivery of SAMLAuthnRequest only. The successful completion of SAML
transaction would have been signaled by SAMLResponse (had it been
received).

I'm afraid SAML HTTP Redirect binding won't help either, since it's not
allowed by Spring Security SAML [1] (which is in full accordance with
the standard).

I guess you're trying to fetch some data from your legacy app via XHR,
and receive Keycloak-generated POST binding in response. I suggest that
you implement a silent refresh pattern [2], similarly to what Scott has
done for OIDC implicit flow. In a few words, you should create a hidden
iframe with your SAML app, which, upon loading, will process POST
binding and set up a valid session. After that, you should be able to
perform requests to your legacy app normally. The iframe will also need
to be reloaded periodically to mitigate session expiry.

OIDC to SAML token exchange would have allowed for a more
straightforward solution, but unfortunately is not supported in
Keycloak at the moment.

[1]
https://stackoverflow.com/questions/29889644/metadatagenerator-of-spring-security-saml-doesnt-support-redirect-binding-for-a
[2]
https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 12:56 -0800, Tom Barber wrote:
> Also whats stupid about it is in the Java logs I see
>
> 20:55:43,894 INFO  [SAMLDefaultLogger]
> AuthNRequest;SUCCESS;86.162.163.65;client;
> https://auth.domain.co.uk/auth/realms/ies;;;
>
> So I can even see it working! =/
>
> > On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:
>
> Hey Dmitry
>
> I turned that setting off earlier today with no obvious change in
outcome.
>
> Thanks
>
> Tom
>
>
> > On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:
>
> Hello Tom,
>
> Please go to client config in the Keycloak Admin Console and turn off
> "Force POST Binding". Does it make any difference?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> > Hi folks,
> >
> > I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
>
> OIDC
> > connector and provides a user UI login. This works fine.
> >
> > Then I have a Java based app that is legacy and uses the Spring SAML
> > connector and when you go to its UI Keycloak also logs you in fine, but
> > we’re trying to connect to its API without a user having to manually
open
> > its landing page to login.
> >
> > When you try and use a service on the Java app having authenticated on
the
> > client app you get:
> >
> > Note: Since your browser does not support JavaScript, you must press
the
> > Continue button once to proceed.
> >
> >
> > In the javascript console. Both these apps are in the same realm. Is
there
> > anything I’m missing on the Keycloak side I can do to resolve this
issue
>
> or
> > do I have to find the Java code and jump in with two feet there?
> >
> > Thanks
> >
> > Tom
> >
>
>

-- 

Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.

All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.