"XML External Entity switches are not supported. You may get XML injection
vulnerabilities." is just a warning and shouldn't have anything to do with
the issue.
Try enabling trace logging for org.keycloak and see if you get any more
details.
On 23 September 2016 at 14:52, Bill Kuntz <WKuntz(a)flvc.org> wrote:
Thanks.
When we attempt to authenticate using keycloak 2.2.0_final, we get the
following log entries on the Keycloak server:
2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default task-1)
XML External Entity switches are not supported. You may get XML injection
vulnerabilities.
2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
(default task-1) request validation failed: org.keycloak.common.VerificationException:
Invalid signature on document
at org.keycloak.protocol.saml.SamlProtocolUtils.
verifyDocumentSignature(SamlProtocolUtils.java:57)
at org.keycloak.protocol.saml.SamlProtocolUtils.
verifyDocumentSignature(SamlProtocolUtils.java:50)
at org.keycloak.protocol.saml.SamlService$
PostBindingProtocol.verifySignature(SamlService.java:405)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.
handleSamlRequest(SamlService.java:186)
at org.keycloak.protocol.saml.SamlService$
PostBindingProtocol.execute(SamlService.java:428)
at org.keycloak.protocol.saml.SamlService.postBinding(
SamlService.java:504)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.
invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.
invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.
ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.
HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.
HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(
HttpServlet.java:790)
at io.undertow.servlet.handlers.
ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.
FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.
KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(
ManagedFilter.java:60)
at io.undertow.servlet.handlers.
FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.
FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.
ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.
handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.
SecurityContextAssociationHandler.handleRequest(
SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.
handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.
SSLInformationAssociationHandler.handleRequest(
SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.
ServletAuthenticationCallHandler.handleRequest(
ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.
handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.
AbstractConfidentialityHandler.handleRequest(
AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.
ServletConfidentialityConstraintHandler.handleRequest(
ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.
AuthenticationMechanismsHandler.handleRequest(
AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.
CachedAuthenticatedSessionHandler.handleRequest(
CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.
NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
java:50)
at io.undertow.security.handlers.
AbstractSecurityContextAssociationHandler.handleRequest(
AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.
handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.
JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.
handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.
handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.
handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.
dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.
ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.
handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.
executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(
HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
ipAddress=192.168.33.51, error=invalid_signature
I have verified that the keys on the client match the server. Does the
XML External Entities have something to do with this?
Any help is appreciated.
Thanks,
Bill
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Thursday, September 08, 2016 2:31 AM
*To:* Bill Kuntz
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Keycloak with EZproxy
Not sure what they mean about "authentication sequence identical to a
standard Shibboleth Identity Provider", but Keycloak is pretty configurable
so it should be possible to adapt the SAML configuration for the client to
make it work with EZProxy.
On 1 September 2016 at 17:47, Bill Kuntz <WKuntz(a)flvc.org> wrote:
Has anyone successfully used Keycloak with OCLC's EZProxy? We have been
experimenting with Keycloak, and have been able to get it working with
other SPs, but not EZProxy.
OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
systems if and only if that system uses an authentication sequence
identical to a standard Shibboleth Identity Provider (IDP)."
Thanks,
Bill
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user