Re: [keycloak-user] Problem using SAML IdP

Our brokering doesn't support temporary user ids from the "parent" IDP. Transient Ids in SAML or temporary ids. On 12/22/2015 11:46 AM, Jérôme Blanchard wrote: > Hi, > > I'm trying to integrate keycloak into a the french research federation > of identity (renater) and I'm facing some problems. > Actually, when IdP respond to keycloak i'm getting the following error : > PL00084: Writer: Unsupported Attribute > Value:org.keycloak.dom.saml.v2.assertion.NameIDType > > It seems that this IdP is using transient NameID policy only and using > the unspecified field in the idp config in keycloak generate this > exception as a return. > > Log of the keycloak server is joined. > > I have no idea of what happening because when I was using the test > federation, everything was working but no I'm in the production > federation, login fails. > > The renater federation is using Shibolleth and keycloak is not supported > by federation moderators so I'm alone in the dark now... > > Renater provides an IdP list that I have to parse and synchronized with > IdP in keycloak. As a return I provide a list of all endpoints for each > keycloak registered IdP to allow federation IdP to answear correctly to > the right endpoint. All of this is done by a small web app deployed > aside keycloak and using REST API to synchronize all the IdP. > > One of the IdP entity descriptor is joined. As you can see, only > transient nameid policy is supported and if I configure keycloak to use > email or persistent, I received a response saying that the nameid is not > supported : > > <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > AssertionConsumerServiceURL=" https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa... " > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Version="2.0"><saml:Issuer > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://demo-auth.ortolang.fr/auth/realms/ortolang </saml:Issuer><samlp:NameIDPolicy > AllowCreate="true" > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest> > > > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > Destination=" https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa... " > ID="_9d03761957aade819b6823c35bbab278" > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><sa... > Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required > NameID format not > supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response> > > > Any help would be gracefully appreciated. > > Thanks a lot, Jérôme. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user