Re: [keycloak-user] SAML 2.0 Broker Kickoff - Config Issue or Bug?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OK... figured it out. Turns out if I'm using an idp-initiated flow
(I.E. hitting the keycloak URL for that SAML client), then that field
is blank.
I've got the docs[1] on how to configure this flow. Thanks for being
my rubber duck keycloak-user list.
[1]
https://www.keycloak.org/docs/2.5/server_admin/topics/clients/saml/idp-in...
On Wed, 2018-10-24 at 15:48 -0500, Josh Cain wrote:
Hi all,
I'm trying to drop into a SAML 2.0 brokered flow, and I can't seem to
get Keycloak to kick if off right. Here's what I'm doing:
1) Setting up a third-party IDP as an Identity Provider by importing
SAML 2.0 metadata.
2) Attempting a standard login flow against a client, then clicking
the newly added identity provider on the login screen.
3) Watch, as Keycloak gives me an "Invalid Request" error message
After looking under the hood, I can see that it's fussing about not
having a ClientID:
[2018-10-24 20:12:41,591+0000] DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default
task-
61) Invalid request. Authorization code, clientId or tabId was null.
Code=IugzCrTYU0xfZ_sLF1prPRTZC5WsR9-F3HrDyCUegLE, clientId=null,
tabID=vPZ0M6-0eao
I also just attempted with a Github provider, and encountered the
same
issue. Not sure what's going on, as the IdentityProviderBean doesn't
use the clientId (as I'd imagine it shouldn't?) when constructing the
provider urls, seems strange that it would be required:
String loginUrl = Urls.identityProviderAuthnRequest(baseURI,
identityProvider.getAlias(), realm.getName()).toString();
Sooo... can someone help me figure out what I'm doing wrong
here? I'm
guessing user error is the problem here (otherwise, alot of brokering
would be busted). Thanks!
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAlvQ7AwACgkQrGNtyYPQ
wPhxlA//UXG5Xqc9xsn9XlKb/C3HNXxSi3cBhrSETDfRkEsv6WS2Ka/htzNC+xJ1
YqRXiCKGeqAUuNoQZ+t0gpC/PB2KM3Z2VWFjv7HFl4KFiRsuyWffpCzL2xKy8gYs
wqnnMcTlaOIYALyijrC5zlucd+2ZgU7c5eo+260D2L8IyKuRHHItkYzDUXLlitRO
5ivt+heJXP0WlX/jDSGyGeBR9rcUuxggxVt79Nd7tAuTa7Fn4iYUyKCMXWpPSFFN
4KDZpKGEp46anyoyCl0Y8+qJRTMiw7rHSU0FSJwQj9V6oeZkX0duwp9Z7yEYy0nH
Av7MYBWBZ+Ga+Bkda4WoLMG6L8qvFhiVxHHaHKAfDvNTNY5WOrUGvs4sMQc1oidk
o4rGVZ1PWjr4vP8/OKNNUJS55zFt0vxmnNsjg45dE6Y5PlsjZ4Wq/BuwhHW5NstE
0h7UtOSaVFDcJGPb4Zvk2unWuKEPE1OVB9cKYp+ehKMt9M6/F148D6KUDceiEKrg
7Y6qGfclgnaPM7xDY5KlObsBYS1BLA0CbbhOHahj/FIIsjdq2lNNOU2PfpBbEFmh
ZRkBX2n8HoucTMzInabbGQOBmm8lDPgO0DsCulwWCDKMT8HJKMhOFYFHcjP7DWpM
nt47EBtX/B2Y95M1YGQPQdUWk+gqBmc3fGa2b1dw8IyEIqY3w/8=
=Mmn2
-----END PGP SIGNATURE-----