12:12 p.m.
Hello,
I am sorry but am resending this because I got ignored for the third time now and I just
can't figure out what to do.
If you cannot help me on this one, please give me a step by step explanation how to
configure an application as a service provider to authenticate against an external SAML
idp (with keycloak IdP broker) since I cannot figure it out with the latest
documentation.
Thank you,
Manuel
Von: Manuel Waltschek
Gesendet: Freitag, 07. Dezember 2018 17:34
An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
Hello there,
I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP
(external IdP) and I want my application to authenticate against this external IdP.
I imported the IdP Metadata of samltest into my IdP settings and exported following SP
descriptor into IdP of samltest:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp">
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol
http://schemas.xmlsoap.org/ws/2003/07/secext">
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol"
index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
While "vde-tirol" is the client-id configured in my client and the ACS-url is
the one I configured Fine Grain SAML Endpoint Configuration of my client.
After I try to access a protected ressource I get redirected to a page of samltest telling
me there went something wrong and I detected that the authnrequest sent from my IdP broker
did not have the ACS-url
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-...
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_86bcd6f8-2a66-4151-bfa1-35ad5cf5550b"
IsPassive="false" IssueInstant="2018-12-07T16:08:26.742Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer<http://localhost:8180/auth/realms/prisma-keycloak-saml-idp%3c/saml:Issuer>>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
I get the following Error from openSAML:
Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location
'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol'
nor response location 'null' matched
'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint'
Do you have a clue what went wrong? Is this intended behaviour, that the
AssertionConsumerServiceURL in the AuthnRequest does not match?
Thank you in advance,
Manuel Waltschek