Re: [keycloak-user] SAMLResponse missing InResponseTo

On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote: That's a bit too advanced for me. After a few hours spent trying to learn how to do remote debugging, I returned to code examination, and found the problem! Glad you've found the answer, and sorry for having mislead you. Nevertheless, remote debugging is a must-have skill, I hope one day you'll make use of it and remember this day :) I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored the SAMLRequest in the URL and treated it like an IdP initiated login. I should have been sending to /{realm}/protocol/saml, not /{realm}/protocol/saml/clients/checkmarx . My bad, it was easy to overlook the suspicious Destination="..." in all that XML. As the doc says, "SAML tends to be *a bit* more verbose than OIDC." (is that "a bit" an irony?) :-D Cheers and good luck with Keycloak, Dmitry On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt(a)acutus.pro&gt; wrote: On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote: > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said up front!) First and foremost, could you please try latest Keycloak (4.1.0)? Maybe not upgrading your main instance, but rather installing in parallel. There have been some changes to the SAML subsystem since 3.4.X. > I am familiar with changing logging levels of the running service using the jboss cli, but I don't have the ability to build and step through or set breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let me know! I have root on the host.) Yes, this is possible - just rerun Keycloak with the "--debug" option, it will open a listener on port 8787 (use "--debug <port>" to override). Then forward this port to your box via SSH and use your favorite IDE to attach debugger to localhost:8787 using dt_socket transport (it could be also called "SocketAttach connector"). Also, obviously, you'll need to checkout the source tree. Basically, you'll need to determine which code path Keycloak takes to generate the response, and, after that, try to understand why the attribute is omitted. Good luck! Dmitry > > I doubt this helps, but here is the SAMLResponse from the Request posted previously: > ``` > <samlp:Response Destination=" https://checkmarx.corp.net/cxrestapi/auth/samlAcs" > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd" IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp </saml:Issuer>;; > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;; > <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod <http://www.w3.org/2001/10/xml-exc-c14n#> Algorithm=" http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"> > <dsig:Transforms><dsig:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:... Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds... Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue> > </dsig:Reference> > </dsig:SignedInfo> > <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue> > <dsig:KeyInfo> > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName> > <dsig:X509Data> > <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate> > </dsig:X509Data> > <dsig:KeyValue> > <dsig:RSAKeyValue> > <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus> > <dsig:Exponent>AQAB</dsig:Exponent> > </dsig:RSAKeyValue> > </dsig:KeyValue> > </dsig:KeyInfo> > </dsig:Signature> > <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> > <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046" IssueInstant="2018-07-20T23:39:37.055Z" > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp </saml:Issuer>;; > <saml:Subject> > > <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> chris.byron@corp.com</saml:NameID> > <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-07-20T23:44:35.055Z" > Recipient=" https://checkmarx.corp.net/cxrestapi/auth/samlAcs "/></saml:SubjectConfirmation>;; > </saml:Subject> > <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z" NotOnOrAfter="2018-07-20T23:40:35.055Z"> > <saml:AudienceRestriction> > <saml:Audience>https://checkmarx.corp.net </saml:Audience>;; > </saml:AudienceRestriction> > </saml:Conditions> > <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z" > SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25"> > <saml:AuthnContext> > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> > </saml:AuthnContext> > </saml:AuthnStatement> > <saml:AttributeStatement> > <saml:Attribute FriendlyName="Last name" Name="Last_Name" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > <saml:AttributeValue xmlns:xs=" http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Byron</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute FriendlyName="First name" Name="First_Name" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > <saml:AttributeValue xmlns:xs=" http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Chris</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute FriendlyName="Email" Name="Email" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > <saml:AttributeValue xmlns:xs=" http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.byron@corp.com</saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > </saml:Assertion> > </samlp:Response> > ``` > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt(a)acutus.pro&gt; wrote: > > Hi Chris, > > > > According to the code, an InResponseTo attribute should be added to the response unconditionally: > > https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/... > > > > If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null? > > > > Also, which version of Keycloak are you using? > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Cze... > > +42 (022) 888-30-71 > > E-mail: info(a)acutus.pro > > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote: > > > Good morning. I'm trying to debug an issue where my Keycloak IdP does not > > > include an InResponseTo attribute in the SAMLResponse after an SP-initiated > > > login. Are there certain conditions in the Request that need to be > > > satisfied before it will be included? Or certain client configurations in > > > Keycloak? > > > > > > The SAMLRequest from the SP: > > > ``` > > > <saml2p:AuthnRequest > > > AssertionConsumerServiceURL=" > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs" > > > AttributeConsumingServiceIndex="0" > > > Destination=" > > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx... > > > ID="idda5349fbbbf9483a91ec1531e52933a6" > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0" > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;; > > > </saml2p:AuthnRequest> > > > ``` > > > > > > Keycloak client configuration: > > > ``` > > > { > > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25", > > > > > > "clientId": "https://checkmarx.corp.net", > > > "rootUrl": "", > > > > "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs", > > > "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx", > > > "surrogateAuthRequired": false, > > > "enabled": true, > > > "clientAuthenticatorType": "client-secret", > > > "redirectUris": [], > > > "webOrigins": [], > > > "notBefore": 0, > > > "bearerOnly": false, > > > "consentRequired": false, > > > "standardFlowEnabled": true, > > > "implicitFlowEnabled": false, > > > "directAccessGrantsEnabled": false, > > > "serviceAccountsEnabled": false, > > > "authorizationServicesEnabled": false, > > > "publicClient": false, > > > "frontchannelLogout": true, > > > "protocol": "saml", > > > "attributes": { > > > "saml.assertion.signature": "false", > > > "saml.force.post.binding": "true", > > > "saml.multivalued.roles": "false", > > > "saml.encrypt": "false", > > > "saml.server.signature": "true", > > > "saml_idp_initiated_sso_url_name": "checkmarx", > > > "saml.server.signature.keyinfo.ext": "false", > > > "saml.signature.algorithm": "RSA_SHA256", > > > "saml_force_name_id_format": "false", > > > "saml.client.signature": "false", > > > "saml.authnstatement": "true", > > > "saml_name_id_format": "email", > > > "saml.onetimeuse.condition": "false", > > > "saml_signature_canonicalization_method": " > > > > > http://www.w3.org/2001/10/xml-exc-c14n#";, > > > "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": > > > "KEY_ID" > > > }, > > > "fullScopeAllowed": false, > > > "nodeReRegistrationTimeout": -1, > > > "useTemplateConfig": false, > > > "useTemplateScope": false, > > > "useTemplateMappers": false, > > > "access": { > > > "view": true, > > > "configure": true, > > > "manage": true > > > } > > > ``` > > > > > > Thank you for any help or advice on this! Cheers, > > > Chris Byron > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > >