First guess is that EZProxy is not signing the login assertion and the
client is configured in KC admin console to require signatures. Try turning
"Client Signature Required" off for the client in the Keycloak admin
console.
On 5 November 2016 at 14:36, Ricardo Chu <pygator(a)linux.com> wrote:
Here is the trace output of this problem:
https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
This log includes the startup of keycloak and the login attempt. The
login fails and the message "invalid requester" is displayed in the
browser..
The trace shows the "Invalid signature on document" message.
Line 5211 says "Cannot find Signature element".
Any idea what may cause this?
Rick
On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> "XML External Entity switches are not supported. You may get XML
> injection
> vulnerabilities." is just a warning and shouldn't have anything to do with
> the issue.
>
> Try enabling trace logging for org.keycloak and see if you get any more
> details.
>
> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz(a)flvc.org> wrote:
>
> > Thanks.
> >
> >
> >
> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
> > following log entries on the Keycloak server:
> >
> >
> >
> > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default
> task-1)
> > XML External Entity switches are not supported. You may get XML
> injection
> > vulnerabilities.
> >
> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
> > (default task-1) request validation failed:
> org.keycloak.common.VerificationException:
> > Invalid signature on document
> >
> > at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:57)
> >
> > at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:50)
> >
> > at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.verifySignature(SamlService.java:405)
> >
> > at org.keycloak.protocol.saml.Sam
> lService$BindingProtocol.
> > handleSamlRequest(SamlService.java:186)
> >
> > at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.execute(SamlService.java:428)
> >
> > at org.keycloak.protocol.saml.SamlService.postBinding(
> > SamlService.java:504)
> >
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> >
> > at sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> >
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> >
> > at java.lang.reflect.Method.invoke(Method.java:498)
> >
> > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> > MethodInjectorImpl.java:139)
> >
> > at org.jboss.resteasy.core.ResourceMethodInvoker.
> > invokeOnTarget(ResourceMethodInvoker.java:295)
> >
> > at org.jboss.resteasy.core.Resour
> ceMethodInvoker.invoke(
> > ResourceMethodInvoker.java:249)
> >
> > at org.jboss.resteasy.core.ResourceLocatorInvoker.
> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> >
> > at org.jboss.resteasy.core.Resour
> ceLocatorInvoker.invoke(
> > ResourceLocatorInvoker.java:101)
> >
> > at org.jboss.resteasy.core.Synchr
> onousDispatcher.invoke(
> > SynchronousDispatcher.java:395)
> >
> > at org.jboss.resteasy.core.Synchr
> onousDispatcher.invoke(
> > SynchronousDispatcher.java:202)
> >
> > at org.jboss.resteasy.plugins.server.servlet.
> > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> >
> > at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >
> > at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >
> > at javax.servlet.http.HttpServlet.service(
> > HttpServlet.java:790)
> >
> > at io.undertow.servlet.handlers.
> > ServletHandler.handleRequest(ServletHandler.java:85)
> >
> > at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >
> > at org.keycloak.services.filters.
> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> > java:90)
> >
> > at io.undertow.servlet.core.ManagedFilter.doFilter(
> > ManagedFilter.java:60)
> >
> > at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >
> > at io.undertow.servlet.handlers.
> > FilterHandler.handleRequest(FilterHandler.java:84)
> >
> > at io.undertow.servlet.handlers.security.
> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> > java:62)
> >
> > at io.undertow.servlet.handlers.S
> ervletDispatchingHandler.
> > handleRequest(ServletDispatchingHandler.java:36)
> >
> > at org.wildfly.extension.undertow.security.
> > SecurityContextAssociationHandler.handleRequest(
> > SecurityContextAssociationHandler.java:78)
> >
> > at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> > at io.undertow.servlet.handlers.security.
> > SSLInformationAssociationHandler.handleRequest(
> > SSLInformationAssociationHandler.java:131)
> >
> > at io.undertow.servlet.handlers.security.
> > ServletAuthenticationCallHandler.handleRequest(
> > ServletAuthenticationCallHandler.java:57)
> >
> > at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> > at io.undertow.security.handlers.
> > AbstractConfidentialityHandler.handleRequest(
> > AbstractConfidentialityHandler.java:46)
> >
> > at io.undertow.servlet.handlers.security.
> > ServletConfidentialityConstraintHandler.handleRequest(
> > ServletConfidentialityConstraintHandler.java:64)
> >
> > at io.undertow.security.handlers.
> > AuthenticationMechanismsHandler.handleRequest(
> > AuthenticationMechanismsHandler.java:60)
> >
> > at io.undertow.servlet.handlers.security.
> > CachedAuthenticatedSessionHandler.handleRequest(
> > CachedAuthenticatedSessionHandler.java:77)
> >
> > at io.undertow.security.handlers.
> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> > java:50)
> >
> > at io.undertow.security.handlers.
> > AbstractSecurityContextAssociationHandler.handleRequest(
> > AbstractSecurityContextAssociationHandler.java:43)
> >
> > at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> > at org.wildfly.extension.undertow.security.jacc.
> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >
> > at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> > at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> > at io.undertow.servlet.handlers.ServletInitialHandler.
> > handleFirstRequest(ServletInitialHandler.java:284)
> >
> > at io.undertow.servlet.handlers.ServletInitialHandler.
> > dispatchRequest(ServletInitialHandler.java:263)
> >
> > at io.undertow.servlet.handlers.
> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >
> > at io.undertow.servlet.handlers.S
> ervletInitialHandler$1.
> > handleRequest(ServletInitialHandler.java:174)
> >
> > at io.undertow.server.Connectors.
> > executeRootHandler(Connectors.java:202)
> >
> > at io.undertow.server.HttpServerExchange$1.run(
> > HttpServerExchange.java:793)
> >
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> > ThreadPoolExecutor.java:1142)
> >
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > ThreadPoolExecutor.java:617)
> >
> > at java.lang.Thread.run(Thread.java:745)
> >
> >
> >
> > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
> > ipAddress=192.168.33.51, error=invalid_signature
> >
> >
> >
> > I have verified that the keys on the client match the server. Does the
> > XML External Entities have something to do with this?
> >
> >
> >
> > Any help is appreciated.
> >
> >
> >
> > Thanks,
> >
> > Bill
> >
> >
> >
> > *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> > *Sent:* Thursday, September 08, 2016 2:31 AM
> > *To:* Bill Kuntz
> > *Cc:* keycloak-user(a)lists.jboss.org
> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
> >
> >
> >
> > Not sure what they mean about "authentication sequence identical to a
> > standard Shibboleth Identity Provider", but Keycloak is pretty
> configurable
> > so it should be possible to adapt the SAML configuration for the client
> to
> > make it work with EZProxy.
> >
> >
> >
> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz(a)flvc.org> wrote:
> >
> > Has anyone successfully used Keycloak with OCLC's EZProxy? We have been
> > experimenting with Keycloak, and have been able to get it working with
> > other SPs, but not EZProxy.
> >
> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
> > systems if and only if that system uses an authentication sequence
> > identical to a standard Shibboleth Identity Provider (IDP)."
> >
> > Thanks,
> > Bill
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>