<div dir="ltr">Hi Jérôme!<div><br></div><div>Thanks so much for the details! </div><div><br></div><div>Perhaps the issue when uploading was actually the other issue I stumbled upon in this endeavor! When attempting to upload the keycloak sp metadata to <a href="http://testshib.org" target="_blank">testshib.org</a>, I received a malformed metadata error, the <a href="http://testshib.org" target="_blank">testshib.org</a> folks noted that the SingleLogoutService element must come before the NameID element (they also suggested to remove the newline&whitespace from NameID, which existed in my keycloak sp metadata).</div><div><br></div><div>Once I modified those I was able to upload at least. I suppose the ordering/newline issues may be a fixable issue for keycloak. </div><div><br></div><div>As for the signing issue, I think I'll give up on using the testshib instance (I did try to re-upload with your authn suggestion after fixing the SingleLogoutService and NameID issues I mentioned above) and did receive an invalid metadata error. I appreciate your help though, and I'm sure that integrating with a univ IdP as I intend to will be a bit easier!</div><div><br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Feb 11, 2016 at 3:20 AM Jérôme Blanchard <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I'm able to reproduce your bug.<br></div>Making authentication using debug mode a break point in AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted response : <br><br>StatusType [statusCode=StatusCodeType [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], statusMessage=Unable to encrypt assertion, statusDetail=null]<br><br></div>By the way, when I try to use the Want AuthnRequests Signed= true, I can't upload the configuration to the testshib site because it considere the file as not wellformed !!<br><br></div><div>I'm sorry, but it seems that the configuration os the testshib is very well coupled to shibboleth... Maybe you could try with your own instance of an IdP.<br><br></div><div>Best regards, Jérôme.<br></div></div><div dir="ltr"><div><div><div><div dir="ltr"><div><div><div><br><div class="gmail_quote"><div dir="ltr">Le mer. 10 févr. 2016 à 17:03, Steve Nolen <<a href="mailto:technolengy@gmail.com" target="_blank">technolengy@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Jérôme,<div><br><div>Thanks for the help! I swapped the NameId in keycloak for this broker to unspecified (I uploaded my sp metadata to <a href="http://testshib.org" target="_blank">testshib.org</a> again as well just in case) and am still receiving the same error.</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Steve, <br><br></div>I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's working fine. The problem you encounter comes from the fact that you ask for a persistent nameId in the config of your SP and, according to the provider details, it's only able to send transient nameId.<br></div>Feel the parameter of nameId to undefined and check the authentication again.<br></div><br><div>Best regards, Jérôme.<br></div></div><br><div class="gmail_quote"></div><div class="gmail_quote"><div dir="ltr">Le mer. 10 févr. 2016 à 03:57, Steve Nolen <<a href="mailto:technolengy@gmail.com" target="_blank">technolengy@gmail.com</a>> a écrit :<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi!<div><br></div><div>First of all, keycloak is legitimately awesome!</div><div><br></div><div>I was attempting to test the use of keycloak as a shibboleth SP today (testing against the <a href="http://testshib.org" target="_blank">testshib.org</a> test IdP) and am having some trouble.</div><div><br></div><div>Keycloak Version: 1.9.0CR1 (using it on openshift currently)</div><div><br></div><div>Both sides seem to be set up as they should (I used the testshib endpoint to import the settings to keycloak). I'm able to take the redirect over to idp.testshib but on logging in I get a 500 Internal Server Error from keycloak. The message is "No Assertion from response" (stack trace below).</div><div><br></div><div>Any thoughts on what might be missing?</div><div><br></div><div>==== stack trace ====</div><div><a href="http://pastebin.com/3tsApUKK" target="_blank">http://pastebin.com/3tsApUKK</a><br></div><div><br></div><div>==== broker details ====</div><div><div><a href="https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor" target="_blank">https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor</a><br></div><div><br></div><div>==== provider details ====</div><div><a href="https://www.testshib.org/metadata/testshib-providers.xml" target="_blank">https://www.testshib.org/metadata/testshib-providers.xml</a><br></div><div><br></div><div>Thank you!</div><div>Steve</div></div></div></blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div>
</blockquote></div>
</blockquote></div></div></div></div></div></div></div></div></div></blockquote></div></div>