Stian,
We set the "Client Signature Required" to off. See print screen here:
I restarted keycloak and attempted to login via ezproxy. It looks like we
get a little further down the login process but now get a NPE.
You can see the log excerpt here:
Rick
On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
First guess is that EZProxy is not signing the login assertion and
the
client is configured in KC admin console to require signatures. Try turning
"Client Signature Required" off for the client in the Keycloak admin
console.
On 5 November 2016 at 14:36, Ricardo Chu <pygator(a)linux.com> wrote:
> Here is the trace output of this problem:
>
https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>
> This log includes the startup of keycloak and the login attempt. The
> login fails and the message "invalid requester" is displayed in the
> browser..
>
> The trace shows the "Invalid signature on document" message.
> Line 5211 says "Cannot find Signature element".
>
> Any idea what may cause this?
>
> Rick
>
> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> "XML External Entity switches are not supported. You may get XML
>> injection
>> vulnerabilities." is just a warning and shouldn't have anything to do
>> with
>> the issue.
>>
>> Try enabling trace logging for org.keycloak and see if you get any more
>> details.
>>
>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz(a)flvc.org> wrote:
>>
>> > Thanks.
>> >
>> >
>> >
>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>> > following log entries on the Keycloak server:
>> >
>> >
>> >
>> > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default
>> task-1)
>> > XML External Entity switches are not supported. You may get XML
>> injection
>> > vulnerabilities.
>> >
>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
>> > (default task-1) request validation failed:
>> org.keycloak.common.VerificationException:
>> > Invalid signature on document
>> >
>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>> >
>> > at org.keycloak.protocol.saml.SamlProtocolUtils.
>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>> >
>> > at org.keycloak.protocol.saml.SamlService$
>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>> >
>> > at org.keycloak.protocol.saml.Sam
>> lService$BindingProtocol.
>> > handleSamlRequest(SamlService.java:186)
>> >
>> > at org.keycloak.protocol.saml.SamlService$
>> > PostBindingProtocol.execute(SamlService.java:428)
>> >
>> > at org.keycloak.protocol.saml.SamlService.postBinding(
>> > SamlService.java:504)
>> >
>> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> > Method)
>> >
>> > at sun.reflect.NativeMethodAccessorImpl.invoke(
>> > NativeMethodAccessorImpl.java:62)
>> >
>> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> > DelegatingMethodAccessorImpl.java:43)
>> >
>> > at java.lang.reflect.Method.invoke(Method.java:498)
>> >
>> > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> > MethodInjectorImpl.java:139)
>> >
>> > at org.jboss.resteasy.core.ResourceMethodInvoker.
>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>> >
>> > at org.jboss.resteasy.core.Resour
>> ceMethodInvoker.invoke(
>> > ResourceMethodInvoker.java:249)
>> >
>> > at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> >
>> > at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invoke(
>> > ResourceLocatorInvoker.java:101)
>> >
>> > at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(
>> > SynchronousDispatcher.java:395)
>> >
>> > at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(
>> > SynchronousDispatcher.java:202)
>> >
>> > at org.jboss.resteasy.plugins.server.servlet.
>> > ServletContainerDispatcher.service(ServletContainerDispatche
>> r.java:221)
>> >
>> > at org.jboss.resteasy.plugins.server.servlet.
>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> >
>> > at org.jboss.resteasy.plugins.server.servlet.
>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> >
>> > at javax.servlet.http.HttpServlet.service(
>> > HttpServlet.java:790)
>> >
>> > at io.undertow.servlet.handlers.
>> > ServletHandler.handleRequest(ServletHandler.java:85)
>> >
>> > at io.undertow.servlet.handlers.
>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> >
>> > at org.keycloak.services.filters.
>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>> > java:90)
>> >
>> > at io.undertow.servlet.core.ManagedFilter.doFilter(
>> > ManagedFilter.java:60)
>> >
>> > at io.undertow.servlet.handlers.
>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> >
>> > at io.undertow.servlet.handlers.
>> > FilterHandler.handleRequest(FilterHandler.java:84)
>> >
>> > at io.undertow.servlet.handlers.security.
>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>> > java:62)
>> >
>> > at io.undertow.servlet.handlers.S
>> ervletDispatchingHandler.
>> > handleRequest(ServletDispatchingHandler.java:36)
>> >
>> > at org.wildfly.extension.undertow.security.
>> > SecurityContextAssociationHandler.handleRequest(
>> > SecurityContextAssociationHandler.java:78)
>> >
>> > at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> > at io.undertow.servlet.handlers.security.
>> > SSLInformationAssociationHandler.handleRequest(
>> > SSLInformationAssociationHandler.java:131)
>> >
>> > at io.undertow.servlet.handlers.security.
>> > ServletAuthenticationCallHandler.handleRequest(
>> > ServletAuthenticationCallHandler.java:57)
>> >
>> > at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> > at io.undertow.security.handlers.
>> > AbstractConfidentialityHandler.handleRequest(
>> > AbstractConfidentialityHandler.java:46)
>> >
>> > at io.undertow.servlet.handlers.security.
>> > ServletConfidentialityConstraintHandler.handleRequest(
>> > ServletConfidentialityConstraintHandler.java:64)
>> >
>> > at io.undertow.security.handlers.
>> > AuthenticationMechanismsHandler.handleRequest(
>> > AuthenticationMechanismsHandler.java:60)
>> >
>> > at io.undertow.servlet.handlers.security.
>> > CachedAuthenticatedSessionHandler.handleRequest(
>> > CachedAuthenticatedSessionHandler.java:77)
>> >
>> > at io.undertow.security.handlers.
>> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
>> > java:50)
>> >
>> > at io.undertow.security.handlers.
>> > AbstractSecurityContextAssociationHandler.handleRequest(
>> > AbstractSecurityContextAssociationHandler.java:43)
>> >
>> > at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> > at org.wildfly.extension.undertow.security.jacc.
>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> >
>> > at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> > at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> > at io.undertow.servlet.handlers.ServletInitialHandler.
>> > handleFirstRequest(ServletInitialHandler.java:284)
>> >
>> > at io.undertow.servlet.handlers.ServletInitialHandler.
>> > dispatchRequest(ServletInitialHandler.java:263)
>> >
>> > at io.undertow.servlet.handlers.
>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> >
>> > at io.undertow.servlet.handlers.S
>> ervletInitialHandler$1.
>> > handleRequest(ServletInitialHandler.java:174)
>> >
>> > at io.undertow.server.Connectors.
>> > executeRootHandler(Connectors.java:202)
>> >
>> > at io.undertow.server.HttpServerExchange$1.run(
>> > HttpServerExchange.java:793)
>> >
>> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> > ThreadPoolExecutor.java:1142)
>> >
>> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> > ThreadPoolExecutor.java:617)
>> >
>> > at java.lang.Thread.run(Thread.java:745)
>> >
>> >
>> >
>> > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>> > ipAddress=192.168.33.51, error=invalid_signature
>> >
>> >
>> >
>> > I have verified that the keys on the client match the server. Does the
>> > XML External Entities have something to do with this?
>> >
>> >
>> >
>> > Any help is appreciated.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Bill
>> >
>> >
>> >
>> > *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>> > *To:* Bill Kuntz
>> > *Cc:* keycloak-user(a)lists.jboss.org
>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>> >
>> >
>> >
>> > Not sure what they mean about "authentication sequence identical to a
>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>> configurable
>> > so it should be possible to adapt the SAML configuration for the
>> client to
>> > make it work with EZProxy.
>> >
>> >
>> >
>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz(a)flvc.org> wrote:
>> >
>> > Has anyone successfully used Keycloak with OCLC's EZProxy? We have
>> been
>> > experimenting with Keycloak, and have been able to get it working with
>> > other SPs, but not EZProxy.
>> >
>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>> > systems if and only if that system uses an authentication sequence
>> > identical to a standard Shibboleth Identity Provider (IDP)."
>> >
>> > Thanks,
>> > Bill
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>