Hi,
This was a mismatch in the enityID.
Tkx a lot.
regards,
Olivier
Le 28/05/2019 à 22:17, John Dennis a écrit :
On 5/28/19 2:01 PM, Olivier Rivat wrote:
> Hi,
>
> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
> SAML V2.
> The steup has been working laster year with leycloak 3.4.3
>
> I am able to authenticate against the IDP, and I can see teh SAM packet
> returned using teh SAML tracer.
> I haven't seen any dispcrency.
>
>
> But on keycloak, I obtain the message
>
> We're sorry,
> Login timeout
>
> with the following trace
>
> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
> (default task-3) Assertion id18815101930494101523411623 is not addressed
> to this SP.
Have you validated the entityId of your configured realm in Keycloak
and the entityId configured in the remote IdP are *identical*? That is
the likely cause of "not addressed to this SP" error message.
> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-3) Assertion expired.
Have you checked the timestamps in the Assertion? Have you checked
both servers are time synced and agree on the time?
> 19:52:23,400 WARN [org.keycloak.events] (default task-3)
> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
>
> I've just visited the code of ConditionsValidator.java, where the
> warning is issued, but cannot figure out what could be wrong.
>
> Any idea of waht could be causing such an issue ?
>
>
> Regards,
>
> Olivier Rivat
>
>
>
--
<
http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<
http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <
http://www.janua.fr/>
<
http://www.janua.fr/images/6g_top.gif>