<div dir="ltr"><div><div><div>Hi, <br><br></div>I'm trying to integrate keycloak into a the french research federation of identity (renater) and I'm facing some problems.<br></div>Actually, when IdP respond to keycloak i'm getting the following error : <br>PL00084: Writer: Unsupported Attribute Value:org.keycloak.dom.saml.v2.assertion.NameIDType<br><br></div><div>It seems that this IdP is using transient NameID policy only and using the unspecified field in the idp config in keycloak generate this exception as a return.<br><br></div><div>Log of the keycloak server is joined.<br><br></div><div>I have no idea of what happening because when I was using the test federation, everything was working but no I'm in the production federation, login fails.<br><br></div><div>The renater federation is using Shibolleth and keycloak is not supported by federation moderators so I'm alone in the dark now...<br><br></div><div>Renater provides an IdP list that I have to parse and synchronized with IdP in keycloak. As a return I provide a list of all endpoints for each keycloak registered IdP to allow federation IdP to answear correctly to the right endpoint. All of this is done by a small web app deployed aside keycloak and using REST API to synchronize all the IdP.<br><br></div><div>One of the IdP entity descriptor is joined. As you can see, only transient nameid policy is supported and if I configure keycloak to use email or persistent, I received a response saying that the nameid is not supported : <br><br><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>" Destination="<a href="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO">https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO</a>" ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><a href="https://demo-auth.ortolang.fr/auth/realms/ortolang">https://demo-auth.ortolang.fr/auth/realms/ortolang</a></saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
<br><br><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="<a href="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint">https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint</a>" ID="_9d03761957aade819b6823c35bbab278" InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><a href="https://janus.cnrs.fr/idp">https://janus.cnrs.fr/idp</a></saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
<br></div><div><br><br></div><div>Any help would be gracefully appreciated.<br><br></div><div>Thanks a lot, Jérôme.<br></div><div><br></div></div>