11:21 a.m.
Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said
up front!)
I am familiar with changing logging levels of the running service using the
jboss cli, but I don't have the ability to build and step through or set
breakpoints. (If it is possible to attach a CLI debugger to a running
instance, please let me know! I have root on the host.)
I doubt this helps, but here is the SAMLResponse from the Request posted
previously:
```
<samlp:Response Destination="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer...
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference
URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
<dsig:Transforms><dsig:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
IssueInstant="2018-07-20T23:39:37.055Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
chris.byron@corp.com</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2018-07-20T23:44:35.055Z"
Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs
"/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
NotOnOrAfter="2018-07-20T23:40:35.055Z">
<saml:AudienceRestriction>
<saml:Audience>https://checkmarx.corp.net</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Last name"
Name="Last_Name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Byron</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="First name"
Name="First_Name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Chris</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Email" Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.byron@corp.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
```
On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
Hi Chris,
According to the code, an InResponseTo attribute should be added to the
response unconditionally:
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/...
If you're familiar with debugging, could you please check if this code
point is reached? If yes, is the InResponseTo value not null?
Also, which version of Keycloak are you using?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
<https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Cze...
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> include an InResponseTo attribute in the SAMLResponse after an
SP-initiated
> login. Are there certain conditions in the Request that need to be
> satisfied before it will be included? Or certain client configurations in
> Keycloak?
>
> The SAMLRequest from the SP:
> ```
> <saml2p:AuthnRequest
> AssertionConsumerServiceURL="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> AttributeConsumingServiceIndex="0"
> Destination="
>
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx...
> ID="idda5349fbbbf9483a91ec1531e52933a6"
> IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
> </saml2p:AuthnRequest>
> ```
>
> Keycloak client configuration:
> ```
> {
> "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > "clientId": "https://checkmarx.corp.net",
> "rootUrl": "",
> > "adminUrl":
"https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> "baseUrl":
"/auth/realms/Corp/protocol/saml/clients/checkmarx",
> "surrogateAuthRequired": false,
> "enabled": true,
> "clientAuthenticatorType": "client-secret",
> "redirectUris": [],
> "webOrigins": [],
> "notBefore": 0,
> "bearerOnly": false,
> "consentRequired": false,
> "standardFlowEnabled": true,
> "implicitFlowEnabled": false,
> "directAccessGrantsEnabled": false,
> "serviceAccountsEnabled": false,
> "authorizationServicesEnabled": false,
> "publicClient": false,
> "frontchannelLogout": true,
> "protocol": "saml",
> "attributes": {
> "saml.assertion.signature": "false",
> "saml.force.post.binding": "true",
> "saml.multivalued.roles": "false",
> "saml.encrypt": "false",
> "saml.server.signature": "true",
> "saml_idp_initiated_sso_url_name": "checkmarx",
> "saml.server.signature.keyinfo.ext": "false",
> "saml.signature.algorithm": "RSA_SHA256",
> "saml_force_name_id_format": "false",
> "saml.client.signature": "false",
> "saml.authnstatement": "true",
> "saml_name_id_format": "email",
> "saml.onetimeuse.condition": "false",
> "saml_signature_canonicalization_method": "
> http://www.w3.org/2001/10/xml-exc-c14n#";,
> "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> "KEY_ID"
> },
> "fullScopeAllowed": false,
> "nodeReRegistrationTimeout": -1,
> "useTemplateConfig": false,
> "useTemplateScope": false,
> "useTemplateMappers": false,
> "access": {
> "view": true,
> "configure": true,
> "manage": true
> }
> ```
>
> Thank you for any help or advice on this! Cheers,
> Chris Byron
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user