Thank you for your reply John.
We have set the EntityId of the client as the ClientID in keycloak.
Basically anything we add in ClientID is appearing in the IDPSSODescriptor
metadata.
Now we get the respond* "Invalid Requester". *
Our client has these 3 configuration options:
- Identity Provider Issuer -> EntityID = ClientID Keycloak
- SSO URL ->
https://domain/auth/realms/keycloak_realm/protocol/saml
- Certificate -> X.509 added.
Certificate is not failing, and SSO URL looks to redirect correctly. IdP
Issuer looks to be ok now, so I am guessing that this error is about the
mapping attributes of the user authenticating?
Thanks
Regards
On Fri, Mar 8, 2019 at 9:17 PM John Dennis <jdennis(a)redhat.com> wrote:
On 3/8/19 1:50 PM, Victor Alejo wrote:
> Hi,
>
> I am integrating Keycloak with my service using a saml client but I got
all
> the time *unknown login requester" *error.
>
> My service:
> - Uses Saml 2.0
> - SSO URL pointing to:
>
https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protoco...
> <
https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml
>
>
> - Certificate X.509 Added Working.
>
> *- Identity Provider Issuer: This is the value we I know how to set. *
>
> - The client_ID value in the saml client of Keycloak:
>
> "Specified ID referrenced in URI and tokens. For example 'my-client'
This
> is also the expected issuer value from auth request"
>
> Anyone knows what should be in this value and how to related to the
> Identity Provider Issuer?
It's not related. There are two parties involved, the IdP (i.e.
Keycloak) and the SP (i.e. your client). Each must know about the other,
typically this done through SAML metadata exchange but Keycloak allows
you to manually add the client if you don't have metadata.
Each party is identified by something SAML calls the entityID, it *must*
be a URN. You will find the entityID for the SP in the EntityDescriptor
of the clients metadata and the entityID in the EntityDescriptor in your
Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's
entityID and appears in the authnRequest sent by your SP to Keycloak.
What is sent by your SP as it's entityID *must* match the entityID (i.e.
clientid) registered in your Keycloak realm. To find the IdP entity
description register or create your SAML SP client in your realm and
then click on the Installation tab, then select SAML Metadata
IDPSSODescriptor as the format. You SP may need this metadata depending
on the client. It just so happens that the issuer field in the realms
OpenID Endpoint Configuration matches the SAML IDP entityID, but it's
best to pull this value from the SAML IDP metadata.
--
John Dennis