Re: [keycloak-user] Unable to process SAML response from Azure AD

On May 16, 2018, at 04:00, Luis Rodríguez Fernández <uo67113(a)gmail.com&gt; wrote: Hello David, Me, in your <samlp:Response> I am missing a couple of attributes: Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489" Probably "consent" one is not causing the issue, but "inresponseto" contains the id of the AuthRequest sent by keycloak, and maybe keycloak wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to yours BTW). You can have a look here to one of the ADFS2 responses: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a> Hope it helps, Luis 2018-05-16 3:06 GMT+02:00 Lynxlogic <info(a)lynxlogic.com <mailto:info@lynxlogic.com>>: > I’m trying to setup SAML SSO between Azure AD and Keycloak. On the > redirect back after auth, Keycloak is failing to process the response and > generates an internal server error: > > 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: > Could not process response from SAML identity provider. > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( > SAMLEndpoint.java:444) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse( > SAMLEndpoint.java:479) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute( > SAMLEndpoint.java:237) > at org.keycloak.broker.saml.SAMLEndpoint.postBinding( > SAMLEndpoint.java:157) > . > . > . > Caused by: java.lang.NullPointerException > at java.util.regex.Matcher.getTextLength(Matcher.java:1283) > at java.util.regex.Matcher.reset(Matcher.java:309) > at java.util.regex.Matcher.<init>(Matcher.java:229) > at java.util.regex.Pattern.matcher(Pattern.java:1093) > at java.util.regex.Pattern.split(Pattern.java:1206) > at org.keycloak.broker.provider.util.IdentityBrokerState. > encoded(IdentityBrokerState.java:41) > at org.keycloak.services.resources.IdentityBrokerService. > parseEncodedSessionCode(IdentityBrokerService.java:980) > at org.keycloak.services.resources.IdentityBrokerService.authenticated( > IdentityBrokerService.java:490) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse( > SAMLEndpoint.java:440) > ... 63 more > > I’ve posted the SAML response at https://gist.github.com/dieseldjango/ > 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/ <https://gist.github.com/dieseldjango/> > 72057b7df68dbe3dc289ec8e3f5826bf>. > > The stack trace indicates it’s failing at IdentityBrokerService.parseEncodedSessionCode(). > I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point > me in the right direction to solve this? > > Thanks, > David > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>