Re: [keycloak-dev] Getting error with authentication using ecp.sh script

Hi All, I am using ecp.sh (provided by keycloak team, ofcourse with changes on idp_endpoint based on my keycloak environment) to perform authentication. I am using spring saml SP and keycloak IDP. I enabled ecp on the SP side and then I execute ecp.sh script as: ./ecp.sh -d rhsso http://192.168.99.100:8888/saml-sp/first.jsp newuser4 My idp_endpoint is: "http://192.168.99.100:9990/auth/realms/xxxxxxxxxx/ protocol/saml" where xxxxxxxxxx is my realm (replaced my realm with xxxxxxxxxx for this email) The script prompts me to enter password and then it sends an auth request to keycloak IDP. Now, something goes wrong at the IDP. I enabled saml logs on keycloak to see the incoming request and the following error from the logs: 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) SAML POST Binding 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO" ForceAuthn="false" ID="a31ah57718g27gd149da6jeb08620ig" IsPassive="false" IssueInstant="2016-12-24T00:51:34.799Z" ProtocolBinding="urn:oasis: names:tc:SAML:2.0:bindings:PAOS" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http:// 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/ 2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 "/> <ds:Reference URI="#a31ah57718g27gd149da6jeb08620ig"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped- signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>nfLQ9IFs9IFnSgw3HHHKuPkAbRY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>iULSwpjBb38Vmtan4ZIocRx4PNr6fHRuhVbL+ 7yXNz3wqjlSavtk7haUiADwUS2cTofRM5KDzUvIkaQPXBZqEkz2xnrhpNj71 eIqJ6H4ZqW3mpvP8Bk9z3VEmcEQhZSd6j8rMf4JOdIBRtE7cea0wJhuQ1Uds HdcKeIdp+wuRvn8t9vS/mPKd9GAt11JpC+bgMQS0MDy+r1+AZof2+ XMyMuwECVIkouTzwlgKDEmgvQh6Aq61f+QzIeeZ9+3efwJyIH61x7J4CaiSTpesezlXx8UQ nqIL+AToL1OFHSp2bgXXxkP1rHSkyNM34Eg92LmI5cN3oBfQDR8r+mCoEctWA==</ ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYT ERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeT EMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyOD AxWhcNMjIxMjMwMTEyODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVX VzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2 FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wggEiMA0GCS qGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrD tUt00E5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/ yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/ rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7KqxpHx6No83WNZj4B 3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/ KSaal3R26pONUUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/ R93vBA6lnl5nTctZIRsyg0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQ wAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL82IvnKouGixGq AcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGO M6A8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/ dgixKb1Rvby/tBuRogWgPONNSACiW+Z5o8UdAOqNMZQozD/ i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEWbHwSoBy5hLPNALaE Uoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/ GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> 00:51:41,265 DEBUG [org.keycloak.saml.common] (default task-2) The provider ApacheXMLDSig - 2.05 was added at position: 2 00:51:41,545 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: org.keycloak.authentication. AuthenticationFlowException at org.keycloak.authentication.DefaultAuthenticationFlow. processResult(DefaultAuthenticationFlow.java:242) at org.keycloak.authentication.DefaultAuthenticationFlow. processFlow(DefaultAuthenticationFlow.java:185) at org.keycloak.authentication.AuthenticationProcessor. authenticateOnly(AuthenticationProcessor.java:792) at org.keycloak.protocol.AuthorizationEndpointBase. handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:100) at org.keycloak.protocol.saml.SamlService. newBrowserAuthentication(SamlService.java:505) at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService. newBrowserAuthentication(SamlEcpProfileService.java:89) at org.keycloak.protocol.saml.SamlService. newBrowserAuthentication(SamlService.java:501) at org.keycloak.protocol.saml.SamlService$BindingProtocol. loginRequest(SamlService.java:297) at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService$1. loginRequest(SamlEcpProfileService.java:72) at org.keycloak.protocol.saml.SamlService$BindingProtocol. handleSamlRequest(SamlService.java:209) at org.keycloak.protocol.saml.SamlService$ PostBindingProtocol.execute(SamlService.java:453) at org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService. authenticate(SamlEcpProfileService.java:74) at org.keycloak.protocol.saml.SamlService.soapBinding( SamlService.java:619) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet. ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter. doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter( ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest( FilterHandler.java:84) at io.undertow.servlet.handlers.security. ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler. java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler. handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security. SecurityContextAssociationHandler.handleRequest( SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.servlet.handlers.security. SSLInformationAssociationHandler.handleRequest( SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security. ServletAuthenticationCallHandler.handleRequest( ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler .handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security. ServletConfidentialityConstraintHandler.handleRequest( ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandle r.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security. CachedAuthenticatedSessionHandler.handleRequest( CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler. handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssocia tionHandler.handleRequest(AbstractSecurityContextAssocia tionHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc. JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler. handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler. dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$ 000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1. handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors. java:202) at io.undertow.server.HttpServerExchange$1.run( HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 00:51:41,548 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=O4ZR9N2V6U, clientId=http://192.168.99. 100:8888/saml-sp/saml/metadata, userId=null, ipAddress=192.168.99.1, error=in valid_user_credentials, auth_method=saml, redirect_uri=http://192.168. 99.100:8888/saml-sp/saml/SSO, code_id=fa04e6ff-3767-419c-a5bf-7bc2c94e8300 I am a bit lost here on what is wrong. Does this request I pasted above look correct? If not, let me know what is wrong/missing there. Also, my understanding is that I don't need to enable anything on keycloak for this. I was earlier able to do browser based authentication using this same saml SP, IDP and the user. Then, I enabled ECP on SP to test authentication using ecp.sh script but I encountered the above error and output. I would appreciate any help or pointers on this. Also, for reference, this is the SP response (I printed the $sp_resp variable in ecp.sh): <?xml version="1.0" encoding="UTF-8"?> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"> <soap11:Header> <paos:Request xmlns:paos="urn:liberty:paos:2003-08" responseConsumerURL=" http://192.168.99.100:8888/saml-sp/saml/SSO" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" soap11:mustUnderstand="1"/> <ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="false" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" soap11:mustUnderstand="1"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http:// 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer> </ecp:Request> </soap11:Header> <soap11:Body> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://192.168.99.100:8888/saml-sp/saml/SSO" ForceAuthn="false" ID="a1bj9ed5f38c4c1f1331hifbg36363" IsPassive="false" IssueInstant="2016-12-24T01:14:48.538Z" ProtocolBinding="urn:oasis: names:tc:SAML:2.0:bindings:PAOS" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http:// 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/ 2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 "/> <ds:Reference URI="#a1bj9ed5f38c4c1f1331hifbg36363"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped- signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>sOgymsP3qFQ4QQFiGP7oUjtutUw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>ZGxJgqOcGe2XarIF1JtfjikRmpsIjglB4mKeYdfUbwUavtH25XgZ/ YmgTDFlCYbq2piAM0NvibcyPtXjgX26zATtWJg3URqHpqWclccql8I5arrVf kHTKUQxIx0Rk9bxxytsS012SptubO9F4a+b4LAWoaE9L4IymGVtLpZRLYRL2rhhj wIehT/hSXTWWNRWrLWYb03klaCp/1hZIEUIUW1nyeveyWfaeN1LF7BJ63y MdWOrtUEaF388chUcg1dpFB7HeYq1Q5GCYyEsFk3yi1CEcZ/ qeXyfbHAwixFOG0pPNyeunn6QDZzFD8sSVepXzuFLb8MuuthNYSb0hVLrwQ= =</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+ Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> </soap11:Body> </soap11:Envelope>