Re: [keycloak-user] trouble acting as SP with testshib.org IdP

Hi Jérôme! Thanks so much for the details! Perhaps the issue when uploading was actually the other issue I stumbled upon in this endeavor! When attempting to upload the keycloak sp metadata to testshib.org, I received a malformed metadata error, the testshib.org folks noted that the SingleLogoutService element must come before the NameID element (they also suggested to remove the newline&whitespace from NameID, which existed in my keycloak sp metadata). Once I modified those I was able to upload at least. I suppose the ordering/newline issues may be a fixable issue for keycloak. As for the signing issue, I think I'll give up on using the testshib instance (I did try to re-upload with your authn suggestion after fixing the SingleLogoutService and NameID issues I mentioned above) and did receive an invalid metadata error. I appreciate your help though, and I'm sure that integrating with a univ IdP as I intend to will be a bit easier! On Thu, Feb 11, 2016 at 3:20 AM Jérôme Blanchard <jayblanc(a)gmail.com&gt; wrote: > I'm able to reproduce your bug. > Making authentication using debug mode a break point in > AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted > response : > > StatusType [statusCode=StatusCodeType > [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], > statusMessage=Unable to encrypt assertion, statusDetail=null] > > By the way, when I try to use the Want AuthnRequests Signed= true, I > can't upload the configuration to the testshib site because it considere > the file as not wellformed !! > > I'm sorry, but it seems that the configuration os the testshib is very > well coupled to shibboleth... Maybe you could try with your own instance of > an IdP. > > Best regards, Jérôme. > > Le mer. 10 févr. 2016 à 17:03, Steve Nolen <technolengy(a)gmail.com&gt; a > écrit : > >> Hi Jérôme, >> >> Thanks for the help! I swapped the NameId in keycloak for this broker to >> unspecified (I uploaded my sp metadata to testshib.org again as well >> just in case) and am still receiving the same error. >> >> On Wed, Feb 10, 2016 at 1:10 AM Jérôme Blanchard <jayblanc(a)gmail.com&gt; >> wrote: >> >>> Hi Steve, >>> >>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and >>> It's working fine. The problem you encounter comes from the fact that you >>> ask for a persistent nameId in the config of your SP and, according to the >>> provider details, it's only able to send transient nameId. >>> Feel the parameter of nameId to undefined and check the authentication >>> again. >>> >>> Best regards, Jérôme. >>> >>> Le mer. 10 févr. 2016 à 03:57, Steve Nolen <technolengy(a)gmail.com&gt; a >>> écrit : >>> >>>> Hi! >>>> >>>> First of all, keycloak is legitimately awesome! >>>> >>>> I was attempting to test the use of keycloak as a shibboleth SP today >>>> (testing against the testshib.org test IdP) and am having some >>>> trouble. >>>> >>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >>>> >>>> Both sides seem to be set up as they should (I used the testshib >>>> endpoint to import the settings to keycloak). I'm able to take the redirect >>>> over to idp.testshib but on logging in I get a 500 Internal Server Error >>>> from keycloak. The message is "No Assertion from response" (stack trace >>>> below). >>>> >>>> Any thoughts on what might be missing? >>>> >>>> ==== stack trace ==== >>>> http://pastebin.com/3tsApUKK >>>> >>>> ==== broker details ==== >>>> >>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/t... >>>> >>>> ==== provider details ==== >>>> https://www.testshib.org/metadata/testshib-providers.xml >>>> >>>> Thank you! >>>> Steve >>>> >>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>>