Destination is mandatory for signed SAML messages in Redirect and POST
bindings [1] and optional for unsigned ones [2]. It is prevention for
replay attacks for messages whose integrity can be checked. Hence to
comply with SAML spec, we have to allow the destination to be unset
when signature is not checked.
[1]
,
line 1477
On Fri, Aug 25, 2017 at 3:30 PM, Bill Burke <bburke(a)redhat.com> wrote:
destination is validated to be the same URL the SAML request was
posted
to. This is a security check to protect against replay attacks.
On 8/25/17 5:53 AM, Jonas Weismueller wrote:
> Hi,
> any further information needed? I would like to get KC <-> Azure AD to
> be connected. Otherwise we are sadly being obliged to look after another
> IdP solution :(
>
> Cheers Jonas
>
> On 22.08.17 14:27, Jonas Weismueller wrote:
>> Hi,
>>
>> we configured AzureAD to use our keycloak instance, like this:
>>
>>
>>
>> $cer="$our_cert_string"
>>
>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>>
>> $dom="test.domain.cloud"
>>
>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>>
>>
>>
>> When I know try to login on the azure portal, I get successfully
>> redirected
>> to
https://keycloak.internal/auth/realms/azure/protocol/saml , but then
>> I get the following error from keycloak:
>>
>> 2017-08-22 11:49:47,735 DEBUG
>> [org.hibernate.internal.util.EntityPrinter] (default task-3)
>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
>> sessionId=null, time=1503402587482, error=invalid_authn_request,
>> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>>
>>
>>
>> The SAML AuthnRequest sent by M$ looks as follows:
>>
>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
>> (default task-3) <samlp:AuthnRequest
>> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
>> IssueInstant="2017-08-22T11:47:46.793Z"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>>
>>
>>
>> What we can see, is that the destination (optional?) attribute is
>> missing. See
http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>>
>>
>>
>> Why is keycloak doing some strict checking about the optional
>> destination parameter?
>>
>>
>>
>> Cheers Jonas
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user