<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Just create a detailed jira on how we can make this easier.<br>
<br>
<div class="moz-cite-prefix">On 2/11/2016 11:21 AM, Steve Nolen
wrote:<br>
</div>
<blockquote
cite="mid:CAC_FVB5GSSM_PGBYCWPUHy_SPJ_aO=z-yyy3O2WQ1-BLfGsCkA@mail.gmail.com"
type="cite">
<div dir="ltr">Sounds like you've got quite some experience with
this!! I would certainly be happy to share any steps/procedure I
use when I'm successful!
<div><br>
</div>
<div><span style="line-height:1.5">> Next step for me is to
fork the saml provider of keycloak to built a dedicated
shibboleth one.</span></div>
<div><span style="line-height:1.5">This is good news as well.
I've noticed that a very large percentage of people creating
SPs for shibboleth tend to use the standard shibd/apache
setup so as to avoid touching shibboleth as much as
possible. It would be fantastic to be able use keycloak in
place of that where possible!</span></div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 11, 2016 at 8:14 AM Jérôme Blanchard
<<a moz-do-not-send="true" href="mailto:jayblanc@gmail.com">jayblanc@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi Steve, <br>
<br>
</div>
I spent some time in order to integrate into
Renater federation (french research shibbolet
federation) because keycloak does not handle the
discovery service that parse the WAYF...<br>
</div>
So I have develop a small apps to parse this file
and synchronize my 250 IdP into keycloak !! I also
customize the template in order to build a choice
list taking info from my discovery app.<br>
</div>
Next step for me is to fork the saml provider of
keycloak to built a dedicated shibboleth one. <br>
</div>
You probably faced some issues about transient nameid
because shibboleth federation does not give a
persistent nameId but a transient one and because
keycloak need to associate the IdP/nameId to a real
keycloak account, transient nameid result in new
account for each new shibboleth IdP session...<br>
</div>
You have to rely on an attribute eduPersonTargetedID but
this attribute is a complex type and keycloak SAML
attribute parser can't handle it correctly. I have make
a small patch also to avoid problem with that and to
ensure the mapping between this attribute and the
nameID.</div>
<div><br>
</div>
By the way, I'm intrested if you succeed in order to share
some tips and to enlarge knowledge base about those
aspects around Shibboleth and keycloak.<br>
<br>
</div>
Best regards, Jérôme.<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le jeu. 11 févr. 2016 à 17:04, Steve Nolen
<<a moz-do-not-send="true"
href="mailto:technolengy@gmail.com" target="_blank">technolengy@gmail.com</a>>
a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Jérôme!
<div><br>
</div>
<div>Thanks so much for the details! </div>
<div><br>
</div>
<div>Perhaps the issue when uploading was actually the
other issue I stumbled upon in this endeavor! When
attempting to upload the keycloak sp metadata to <a
moz-do-not-send="true" href="http://testshib.org"
target="_blank">testshib.org</a>, I received a
malformed metadata error, the <a
moz-do-not-send="true" href="http://testshib.org"
target="_blank">testshib.org</a> folks noted that
the SingleLogoutService element must come before the
NameID element (they also suggested to remove the
newline&whitespace from NameID, which existed in
my keycloak sp metadata).</div>
<div><br>
</div>
<div>Once I modified those I was able to upload at
least. I suppose the ordering/newline issues may be a
fixable issue for keycloak. </div>
<div><br>
</div>
<div>As for the signing issue, I think I'll give up on
using the testshib instance (I did try to re-upload
with your authn suggestion after fixing the
SingleLogoutService and NameID issues I mentioned
above) and did receive an invalid metadata error. I
appreciate your help though, and I'm sure that
integrating with a univ IdP as I intend to will be a
bit easier!</div>
</div>
<div dir="ltr">
<div><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 11, 2016 at 3:20 AM Jérôme
Blanchard <<a moz-do-not-send="true"
href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>I'm able to reproduce your bug.<br>
</div>
Making authentication using debug mode a break
point in AssertionUtil.getAssertion() show
that the IdP refuse to use unencrypted
response : <br>
<br>
StatusType [statusCode=StatusCodeType
[value=urn:oasis:names:tc:SAML:2.0:status:Responder,
statusCode=null], statusMessage=Unable to
encrypt assertion, statusDetail=null]<br>
<br>
</div>
By the way, when I try to use the Want
AuthnRequests Signed= true, I can't upload the
configuration to the testshib site because it
considere the file as not wellformed !!<br>
<br>
</div>
<div>I'm sorry, but it seems that the
configuration os the testshib is very well
coupled to shibboleth... Maybe you could try
with your own instance of an IdP.<br>
<br>
</div>
<div>Best regards, Jérôme.<br>
</div>
</div>
<div dir="ltr">
<div>
<div>
<div>
<div dir="ltr">
<div>
<div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">Le mer. 10 févr.
2016 à 17:03, Steve Nolen <<a
moz-do-not-send="true"
href="mailto:technolengy@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:technolengy@gmail.com">technolengy@gmail.com</a></a>>
a écrit :<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi Jérôme,
<div><br>
<div>Thanks for the help! I
swapped the NameId in
keycloak for this broker
to unspecified (I uploaded
my sp metadata to <a
moz-do-not-send="true"
href="http://testshib.org"
target="_blank">testshib.org</a>
again as well just in
case) and am still
receiving the same error.</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Feb 10,
2016 at 1:10 AM Jérôme
Blanchard <<a
moz-do-not-send="true"
href="mailto:jayblanc@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jayblanc@gmail.com">jayblanc@gmail.com</a></a>>
wrote:<br>
</div>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>Hi Steve, <br>
<br>
</div>
I'm using Keycloak as
a shibboleth SP in a
federation (Renater)
and It's working fine.
The problem you
encounter comes from
the fact that you ask
for a persistent
nameId in the config
of your SP and,
according to the
provider details, it's
only able to send
transient nameId.<br>
</div>
Feel the parameter of
nameId to undefined and
check the authentication
again.<br>
</div>
<br>
<div>Best regards, Jérôme.<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le mer. 10
févr. 2016 à 03:57,
Steve Nolen <<a
moz-do-not-send="true"
href="mailto:technolengy@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:technolengy@gmail.com">technolengy@gmail.com</a></a>>
a écrit :<br>
</div>
</div>
<div class="gmail_quote">
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi!
<div><br>
</div>
<div>First of all,
keycloak is
legitimately
awesome!</div>
<div><br>
</div>
<div>I was attempting
to test the use of
keycloak as a
shibboleth SP today
(testing against the
<a
moz-do-not-send="true"
href="http://testshib.org" target="_blank">testshib.org</a> test IdP)
and am having some
trouble.</div>
<div><br>
</div>
<div>Keycloak Version:
1.9.0CR1 (using it
on openshift
currently)</div>
<div><br>
</div>
<div>Both sides seem
to be set up as they
should (I used the
testshib endpoint to
import the settings
to keycloak). I'm
able to take the
redirect over to
idp.testshib but on
logging in I get a
500 Internal Server
Error from
keycloak. The
message is "No
Assertion from
response" (stack
trace below).</div>
<div><br>
</div>
<div>Any thoughts on
what might be
missing?</div>
<div><br>
</div>
<div>==== stack trace
====</div>
<div><a
moz-do-not-send="true"
href="http://pastebin.com/3tsApUKK" target="_blank"><a class="moz-txt-link-freetext" href="http://pastebin.com/3tsApUKK">http://pastebin.com/3tsApUKK</a></a><br>
</div>
<div><br>
</div>
<div>==== broker
details ====</div>
<div>
<div><a
moz-do-not-send="true"
href="https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor"
target="_blank"><a class="moz-txt-link-freetext" href="https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor">https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor</a></a><br>
</div>
<div><br>
</div>
<div>==== provider
details ====</div>
<div><a
moz-do-not-send="true"
href="https://www.testshib.org/metadata/testshib-providers.xml"
target="_blank"><a class="moz-txt-link-freetext" href="https://www.testshib.org/metadata/testshib-providers.xml">https://www.testshib.org/metadata/testshib-providers.xml</a></a><br>
</div>
<div><br>
</div>
<div>Thank you!</div>
<div>Steve</div>
</div>
</div>
</blockquote>
</div>
<div class="gmail_quote">
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
_______________________________________________<br>
keycloak-user mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a></blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>