<html><head></head><body><div style="color:#000; background-color:#fff; font-family:garamond, new york, times, serif;font-size:14px"><pre id="yui_3_16_0_1_1452996626300_3165" class="">Hi, B.B.</pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">1) You mention "The external SAML IDP is not setting RelayState correctly. It is
supposed to pass it as is."</pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">From our observation, in most of time, the broke keycloak works well, but at some</pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">point, once an error occurs, then the state will go into a mess unless you restart the </pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">keycloak. Suppose this is caused by incorrect relaystate of IDP and given the external </pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">idp is a ADFS, what we can tell to the ADFS admin to fix this ? Sorry we are not very </pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">familiar with this field and need your help. </pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">2) we also observe there is a WARN in the log as below, </pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""> 23:13:29,867 WARN [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=UnileverHR, clientId=hrhelperNav, userId=00412ef1-69d8-4d21-84a4-e027dd161d38, ipAddress=42.159.242.241, error=invalid_code, grant_type=authorization_code, code_id=a1679537-3577-4aa6-8dcd-13bc3804f99c, client_auth_method=client-secret</pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""> </pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""> This warn will mean something?</pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre><pre id="yui_3_16_0_1_1452996626300_3165" class="">3) In our current IDP broke case, in the admin console, realm settings---Tokens tab, there are several configurations.</pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""> what is the relationship with the IDP 's ? Or , in broke model, it is not necessary to set them ?</pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre><pre id="yui_3_16_0_1_1452996626300_3165" class=""><br></pre> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: garamond, new york, times, serif; font-size: 14px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Saturday, January 16, 2016 9:34 PM, Mai Zi <ornot2008@yahoo.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv4362621153"><div><div style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div id="yiv4362621153"><div id="yiv4362621153yui_3_16_0_1_1452945384142_4965"><div id="yiv4362621153yui_3_16_0_1_1452945384142_4964" style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div><span></span></div> <div class="yiv4362621153qtdSeparateBR" id="yiv4362621153yui_3_16_0_1_1452945384142_4963"><br clear="none">One observation from keycloak log is as below:</div><div class="yiv4362621153qtdSeparateBR" id="yiv4362621153yui_3_16_0_1_1452945384142_4963"><br clear="none"></div><div class="yiv4362621153qtdSeparateBR" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452945384142_4963"><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);">2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5089">2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage:<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5091" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.provider.IdentityBrokerException%3A&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.keycloak.broker.provider.IdentityBrokerException:</a> Invalid code, please login again through your client.<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5093"> at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5095"> at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5097"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5099" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.handleLoginResponse(SAMLEndpoint.java:319)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5101"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5103" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.handleSamlResponse(SAMLEndpoint.java:350)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5105"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5107" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.keycloak.broker.saml.SAMLEndpoint</a>$Binding.execute(SAMLEndpoint.java:165)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5109"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5111" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java%3A113)&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113)</a><br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5113"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5115" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.GeneratedMethodAccessor73.invoke(Unknown&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> sun.reflect.GeneratedMethodAccessor73.invoke(Unknown</a> Source)<br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5117"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5119" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java%3A43)&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</a><br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5121"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5123" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Fjava.lang.reflect.Method.invoke(Method.java%3A606)&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> java.lang.reflect.Method.invoke(Method.java:606)</a><br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5125"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5127" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java%3A137)&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</a><br clear="none" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5129"> at<a rel="nofollow" shape="rect" class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5131" target="_blank" href="https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxcheckurl?requrl=http%3A%2F%2Forg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java%3A296)&skey=%40crypt_5dff0e86_317d3ab0e7e7186d5f1a7c87efc2d00e&deviceid=e753915105247870&pass_ticket=f2AsJOGfLeHD4CuiAowWLpF1jRIaoM1Zds568vAnF0YIqN3jz7HlinFX%252FfeGpkyE&opcode=2&scene=1&username=@8cc004f3d0e8453f3484410d6e869bb5e6bfebf1d5f0f863c368da5d91f28ca2" style="outline-width:0px;"> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</a></pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);"><br clear="none"></pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);"><br clear="none"></pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);">In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. </pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);">I am not sure this is a legal case or not . </pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);"><br clear="none"></pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);">Thanks a lot</pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);"><br clear="none"></pre><pre class="yiv4362621153" id="yiv4362621153yui_3_16_0_1_1452945384142_5087" style="margin-top:0px;margin-bottom:0px;font-family:inherit;line-height:22.4px;background-color:rgb(178, 226, 129);"><br clear="none"></pre></div><div class="yiv4362621153yqt6421535089" id="yiv4362621153yqt14815"></div></div></div></div><div class="yiv4362621153yqt5298104396" id="yiv4362621153yqt61484"><div> <div style="font-family:garamond, new york, times, serif;font-size:14px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"><font size="2" face="Arial"> On Saturday, January 16, 2016 1:26 PM, Mai Zi <ornot2008@yahoo.com> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv4362621153y_msg_container"><div id="yiv4362621153"><div><div style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div id="yiv4362621153"><div id="yiv4362621153yui_3_16_0_1_1452921064910_2614"><div id="yiv4362621153yui_3_16_0_1_1452921064910_2613" style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div id="yiv4362621153"><div id="yiv4362621153yui_3_16_0_1_1452917054385_2655"><div id="yiv4362621153yui_3_16_0_1_1452917054385_2654" style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">We user 1.7.0 final as SP to broke a SAML 2.0 IDP. We secure the realm for several clients . </div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">Here is the demo link : <a rel="nofollow" shape="rect" id="yiv4362621153yui_3_16_0_1_1452921064910_2872" target="_blank" href="http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en">http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en</a></div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">The test account is </div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">ID : S2\Testnew2</div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">Password : Daksh@123 </div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">We found keycloak works not stably . The response will be dead from time to time. </div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">Pls take a try and help us . let me know what info you need.</div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559"><br clear="none"></div><div class="yiv4362621153" dir="ltr" id="yiv4362621153yui_3_16_0_1_1452828954911_3559">Mai</div></div></div></div></div></div></div></div></div></div><br clear="none"><br clear="none"></div> </div> </div> </div></div></div></div></div><br><br></div> </div> </div> </div></div></body></html>