<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
The external SAML IDP is not setting RelayState correctly. It is
supposed to pass it as is.<br>
<br>
<div class="moz-cite-prefix">On 1/16/2016 8:34 AM, Mai Zi wrote:<br>
</div>
<blockquote
cite="mid:731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:garamond, new york, times, serif;font-size:14px">
<div id="yiv0700961759">
<div id="yui_3_16_0_1_1452945384142_4965">
<div
style="color:#000;background-color:#fff;font-family:garamond,
new york, times, serif;font-size:14px;"
id="yui_3_16_0_1_1452945384142_4964">
<div><span></span></div>
<div class="yiv0700961759qtdSeparateBR"
id="yui_3_16_0_1_1452945384142_4963"><br clear="none">
One observation from keycloak log is as below:</div>
<div class="yiv0700961759qtdSeparateBR"
id="yui_3_16_0_1_1452945384142_4963"><br>
</div>
<div class="yiv0700961759qtdSeparateBR"
id="yui_3_16_0_1_1452945384142_4963" dir="ltr">
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage
2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage:<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.provider.IdentityBrokerException%3A&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5091" class=""> org.keycloak.broker.provider.IdentityBrokerException:</a> Invalid code, please login again through your client.
at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251)
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5099" class=""> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.handleLoginResponse(SAMLEndpoint.java:319)
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5103" class=""> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.handleSamlResponse(SAMLEndpoint.java:350)
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5107" class=""> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.execute(SAMLEndpoint.java:165)
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint.postBinding%28SAMLEndpoint.java%3A113%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5111" class=""> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113)</a>
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.GeneratedMethodAccessor73.invoke%28Unknown&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5115" class=""> sun.reflect.GeneratedMethodAccessor73.invoke(Unknown</a> Source)
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.DelegatingMethodAccessorImpl.invoke%28DelegatingMethodAccessorImpl.java%3A43%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5119" class=""> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</a>
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fjava.lang.reflect.Method.invoke%28Method.java%3A606%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5123" class=""> java.lang.reflect.Method.invoke(Method.java:606)</a>
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.MethodInjectorImpl.invoke%28MethodInjectorImpl.java%3A137%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5127" class=""> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</a>
at<a moz-do-not-send="true" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget%28ResourceMethodInvoker.java%3A296%29&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width: 0px;" id="yui_3_16_0_1_1452945384142_5131" class=""> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</a></pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">
</pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">
</pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. </pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">I am not sure this is a legal case or not . </pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">
</pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">Thanks a lot</pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">
</pre>
<pre class="" ng-bind-html="message.MMActualContent" style="margin-top: 0px; margin-bottom: 0px; font-family: inherit; word-break: initial; line-height: 22.4px; background-color: rgb(178, 226, 129);" id="yui_3_16_0_1_1452945384142_5087">
</pre>
</div>
</div>
</div>
</div>
<div class=".yiv0700961759yahoo_quoted">
<div style="font-family:garamond, new york, times,
serif;font-size:14px;">
<div style="font-family:HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div dir="ltr"><font size="2" face="Arial"> On Saturday,
January 16, 2016 1:26 PM, Mai Zi
<a class="moz-txt-link-rfc2396E" href="mailto:ornot2008@yahoo.com"><ornot2008@yahoo.com></a> wrote:<br clear="none">
</font></div>
<br clear="none">
<br clear="none">
<div class="yiv0700961759y_msg_container">
<div id="yiv0700961759">
<div>
<div
style="color:#000;background-color:#fff;font-family:garamond,
new york, times, serif;font-size:14px;">
<div id="yiv0700961759">
<div
id="yiv0700961759yui_3_16_0_1_1452921064910_2614">
<div
id="yiv0700961759yui_3_16_0_1_1452921064910_2613"
style="color:#000;background-color:#fff;font-family:garamond,
new york, times, serif;font-size:14px;">
<div id="yiv0700961759">
<div
id="yiv0700961759yui_3_16_0_1_1452917054385_2655">
<div
id="yiv0700961759yui_3_16_0_1_1452917054385_2654"
style="color:#000;background-color:#fff;font-family:garamond,
new york, times,
serif;font-size:14px;">
<div
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">We
user 1.7.0 final as SP to broke a
SAML 2.0 IDP. We secure the realm
for several clients . </div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">Here
is the demo link : <a
moz-do-not-send="true"
rel="nofollow" shape="rect"
id="yiv0700961759yui_3_16_0_1_1452921064910_2872"
target="_blank"
href="http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en"><a class="moz-txt-link-freetext" href="http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en">http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en</a></a></div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">The
test account is </div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">ID
: S2\Testnew2</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">Password
: Daksh@123 </div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">We
found keycloak works not stably .
The response will be dead from
time to time. </div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">Pls
take a try and help us . let me know
what info you need.</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559"><br
clear="none">
</div>
<div class="yiv0700961759" dir="ltr"
id="yiv0700961759yui_3_16_0_1_1452828954911_3559">Mai</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>