2:49 p.m.
Hi Craig,
On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote:
I'm attempting to set up a test of identity brokering all within
a single
Keycloak server. I have two realms set up. The "saml-demo" realm is set
up with a SAML client. I've exported the SAML definition from that client
and imported it into the Identity Brokering for the second realm.
In the brokering scenario, your webapp should remain the client of the saml-demo realm,
and this realm itself should become a client of another realm. This is how brokering
actually works.
Let's assume there are realms "foo" and "bar", and the former
should broker to the latter. The exact steps are:
1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider;
2. Scroll down to "Import from URL", enter the following:
http://<your-keycloak-host>:<port>/auth/realms/bar/protocol/saml/descriptor
(replace "bar" with the actual name of your second realm)
3. Go to Export tab, save EntityDescriptor XML;
4. Go to "bar" realm -> Clients, create one, import the XML from the previous
step, provide some meaningful name;
5. Create some users in "bar".
After that, try accessing your SAML client. You'll be presented with the Keycloak
login screen where you'll be able to either authenticate against
"saml-demo", or to choose another realm.
Some notes:
- you can avoid first login screen and redirect automatically to the second realm, using
custom authentication flow with IDP redirector + flow override at the client level;
- upon the first brokered login, the user will be presented with the Update account
details screen. If you want to bypass that, you can enable identity auto-linking.
It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski:
https://issues.jboss.org/browse/KEYCLOAK-7270
For KC <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
Unfortunately, I can't seem to get to the login page of the
"saml-demo"
when navigating from the second realm. When I click on the identity broker
realm link, I'm seeing the following in the logs:
keycloak_1 | Caused by: java.security.SignatureException: Signature length
not correct: got 256 but was expecting 128
keycloak_1 | at
sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
keycloak_1 | at
java.security.Signature$Delegate.engineVerify(Signature.java:1222)
keycloak_1 | at java.security.Signature.verify(Signature.java:655)
keycloak_1 | at
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236)
I've turned up logging for all of the Keycloak SAML functionality as well
as for java.security. However, I'm struggling to figure out where the
mismatch is located in the configuration and not quite sure where to even
look.
Can anyone offer suggestions on how to go about setting this up or
troubleshooting what I'm doing?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user