4:49 a.m.
Hello David,
May I ask you to share your logout request, please?
Me I am using https://www.keycloak.org/docs/latest/securing_apps/
index.html#logout-2 and Microsoft ADFS2 does not complain about the
request, You can have a look at the SAMLRequest param here [1].
The full request looks like this:
GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState=
logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%
2Fxmldsig-more%23rsa-sha256&Signature=...
HTTP/1.1
Host: login.cern.ch
User-Agent:...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: MSISAuth=...
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Hope it helps,
Luis
ps: thank you sooooo much because your post help me a lot! I thought that
for bein able of using [1] I needed to have keycloak server, register the
SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes
all the magic, thanks Keycloak team!
pps: for weblogic I needed to implement myself the SLO [2] :(
[1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f
[2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/
2018-05-16 14:12 GMT+02:00 Lynxlogic <info(a)lynxlogic.com>:
Thanks for the info Luis. I was getting this error when using
Azure’s
‘Test SAML Settings’ tool. Apparently when testing that way the attributes
you mentioned are omitted from the SAML response. If I follow a normal
login flow it works.
However, I’m unable to get single sign out to work. If I turn on
backchannel logout, then when I sign out from keycloak I’m not signed out
from Azure. If I turn this off, keycloak sends a SAML request on logout,
but Azure complaints that it is invalid. Azure’s documentation says that
the sign out URL should be configured as, 'https://login.
microsoftonline.com/common/wsfederation?wa=wsignout1.0’. If I hit this
URL manually I do get signed out of Azure, but if I specify that URL as the
‘Single Logout Service URL’ in the identity provider setup, Keycloak seems
to ignore it. The behavior is the same with or without that setting -
Keycloak does not redirect to that URL.
David
> On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113(a)gmail.com>
wrote:
>
> Hello David,
>
> Me, in your <samlp:Response> I am missing a couple of attributes:
>
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
>
> Probably "consent" one is not causing the issue, but
"inresponseto"
> contains the id of the AuthRequest sent by keycloak, and maybe keycloak
> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar
to
> yours BTW). You can have a look here to one of the ADFS2 responses:
> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <
https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
>
> Hope it helps,
>
> Luis
>
> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info(a)lynxlogic.com <mailto:
info(a)lynxlogic.com>>:
>
>> I’m trying to setup SAML SSO between Azure AD and Keycloak. On the
>> redirect back after auth, Keycloak is failing to process the response
and
>> generates an internal server error:
>>
>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> (default task-5) Uncaught server error: org.keycloak.broker.provider.
IdentityBrokerException:
>> Could not process response from SAML identity provider.
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:444)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
>> SAMLEndpoint.java:479)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
>> SAMLEndpoint.java:237)
>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
>> SAMLEndpoint.java:157)
>> .
>> .
>> .
>> Caused by: java.lang.NullPointerException
>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
>> at java.util.regex.Matcher.reset(Matcher.java:309)
>> at java.util.regex.Matcher.<init>(Matcher.java:229)
>> at java.util.regex.Pattern.matcher(Pattern.java:1093)
>> at java.util.regex.Pattern.split(Pattern.java:1206)
>> at org.keycloak.broker.provider.util.IdentityBrokerState.
>> encoded(IdentityBrokerState.java:41)
>> at org.keycloak.services.resources.IdentityBrokerService.
>> parseEncodedSessionCode(IdentityBrokerService.java:980)
>> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
>> IdentityBrokerService.java:490)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:440)
>> ... 63 more
>>
>> I’ve posted the SAML response at https://gist.github.com/dieseldjango/
>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
<https://gist.github.com/dieseldjango/>
>> 72057b7df68dbe3dc289ec8e3f5826bf>.
>>
>> The stack trace indicates it’s failing at IdentityBrokerService.
parseEncodedSessionCode().
>> I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone
point
>> me in the right direction to solve this?
>>
>> Thanks,
>> David
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett