Re: [keycloak-user] SAML not be able to proceed SP assertion

On 5/28/19 2:01 PM, Olivier Rivat wrote: > Hi, > > I am using Keycloak 6.0.1 and trying to connect to an external IDP using > SAML V2. > The steup has been working laster year with leycloak 3.4.3 > > I am able to authenticate against the IDP, and I can see teh SAM packet > returned using teh SAML tracer. > I haven't seen any dispcrency. > > > But on keycloak, I obtain the message > > We're sorry, > Login timeout > > with the following trace > > 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator] > (default task-3) Assertion id18815101930494101523411623 is not addressed > to this SP. Have you validated the entityId of your configured realm in Keycloak and the entityId configured in the remote IdP are *identical*? That is the likely cause of "not addressed to this SP" error message. > 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default > task-3) Assertion expired. Have you checked the timestamps in the Assertion? Have you checked both servers are time synced and agree on the time? > 19:52:23,400 WARN  [org.keycloak.events] (default task-3) > type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null, > userId=null, ipAddress=127.0.0.1, error=invalid_saml_response > > I've just visited the code of ConditionsValidator.java, where the > warning is issued, but cannot figure out what could be wrong. > > Any idea of waht could be causing such an issue ? > > > Regards, > > Olivier Rivat > > >