8:30 a.m.
destination is validated to be the same URL the SAML request was posted
to. This is a security check to protect against replay attacks.
On 8/25/17 5:53 AM, Jonas Weismueller wrote:
Hi,
any further information needed? I would like to get KC <-> Azure AD to
be connected. Otherwise we are sadly being obliged to look after another
IdP solution :(
Cheers Jonas
On 22.08.17 14:27, Jonas Weismueller wrote:
> Hi,
>
> we configured AzureAD to use our keycloak instance, like this:
>
>
>
> $cer="$our_cert_string"
>
> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml"
>
> $dom="test.domain.cloud"
>
> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated
> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP
>
>
>
> When I know try to login on the azure portal, I get successfully
> redirected
> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then
> I get the following error from keycloak:
>
> 2017-08-22 11:49:47,735 DEBUG
> [org.hibernate.internal.util.EntityPrinter] (default task-3)
> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure,
> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c,
> sessionId=null, time=1503402587482, error=invalid_authn_request,
> type=LOGIN_ERROR, userId=null,
detailsJson={"reason":"invalid_destination"}}
>
>
>
> The SAML AuthnRequest sent by M$ looks as follows:
>
> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser]
> (default task-3) <samlp:AuthnRequest
> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0"
> IssueInstant="2017-08-22T11:47:46.793Z"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
>
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><samlp:NameIDPolicy
>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
>
>
>
> What we can see, is that the destination (optional?) attribute is
> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
>
>
>
> Why is keycloak doing some strict checking about the optional
> destination parameter?
>
>
>
> Cheers Jonas
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user