That's a bit too advanced for me. After a few hours spent trying to learn
how to do remote debugging, I returned to code examination, and found the
problem!
I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored
the SAMLRequest in the URL and treated it like an IdP initiated login. I
should have been sending to /{realm}/protocol/saml, not
/{realm}/protocol/saml/clients/checkmarx .
On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
said up front!)
First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
not upgrading your main instance, but rather installing in parallel. There
have been some changes to the SAML subsystem since 3.4.X.
> I am familiar with changing logging levels of the running service using
the jboss cli, but I don't have the ability to build and step through or
set breakpoints. (If it is possible to attach a CLI debugger to a running
instance, please let me know! I have root on the host.)
Yes, this is possible - just rerun Keycloak with the "--debug" option, it
will open a listener on port 8787 (use "--debug <port>" to override).
Then forward this port to your box via SSH and use your favorite IDE
to attach debugger to localhost:8787 using dt_socket transport (it could be
also called "SocketAttach connector"). Also, obviously, you'll need to
checkout the source tree.
Basically, you'll need to determine which code path Keycloak takes to
generate the response, and, after that, try to understand why the attribute
is omitted.
Good luck!
Dmitry
>
> I doubt this helps, but here is the SAMLResponse from the Request posted
previously:
> ```
> <samlp:Response Destination="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> <
saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
</saml:Issuer>;
> > <dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
> <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <dsig:Reference
URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> <dsig:Transforms><dsig:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
<dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> </dsig:Reference>
> </dsig:SignedInfo>
>
<dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> <dsig:KeyInfo>
>
<dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> <dsig:X509Data>
>
<dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> </dsig:X509Data>
> <dsig:KeyValue>
> <dsig:RSAKeyValue>
>
<dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> <dsig:Exponent>AQAB</dsig:Exponent>
> </dsig:RSAKeyValue>
> </dsig:KeyValue>
> </dsig:KeyInfo>
> </dsig:Signature>
> <samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
IssueInstant="2018-07-20T23:39:37.055Z"
> Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <
saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
</saml:Issuer>;
> <saml:Subject>
> > <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
chris.byron@corp.com</saml:NameID>
> <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2018-07-20T23:44:35.055Z"
> Recipient="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs
"/></saml:SubjectConfirmation>;
> </saml:Subject>
> <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
NotOnOrAfter="2018-07-20T23:40:35.055Z">
> <saml:AudienceRestriction>
> <
saml:Audience>https://checkmarx.corp.net
</saml:Audience>;
> </saml:AudienceRestriction>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
>
SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> <saml:AuthnContext>
>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> <saml:AttributeStatement>
> <saml:Attribute FriendlyName="Last name"
Name="Last_Name"
>
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Byron</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute FriendlyName="First name"
Name="First_Name"
>
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Chris</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute FriendlyName="Email"
Name="Email"
>
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.byron@corp.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>
> ```
>
> > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
> > Hi Chris,
> >
> > According to the code, an InResponseTo attribute should be added to
the response unconditionally:
> >
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/...
> >
> > If you're familiar with debugging, could you please check if this code
point is reached? If yes, is the InResponseTo value not null?
> >
> > Also, which version of Keycloak are you using?
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > Good morning. I'm trying to debug an issue where my Keycloak IdP
does not
> > > include an InResponseTo attribute in the SAMLResponse after an
SP-initiated
> > > login. Are there certain conditions in the Request that need to be
> > > satisfied before it will be included? Or certain client
configurations in
> > > Keycloak?
> > >
> > > The SAMLRequest from the SP:
> > > ```
> > > <saml2p:AuthnRequest
> > > AssertionConsumerServiceURL="
> > > > >
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > AttributeConsumingServiceIndex="0"
> > > Destination="
> > >
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx...
> > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > >
<saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;
> > > </saml2p:AuthnRequest>
> > > ```
> > >
> > > Keycloak client configuration:
> > > ```
> > > {
> > > "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > "clientId":
"https://checkmarx.corp.net",
> > > "rootUrl": "",
> > > > "adminUrl":
"https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > "baseUrl":
"/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > "surrogateAuthRequired": false,
> > > "enabled": true,
> > > "clientAuthenticatorType": "client-secret",
> > > "redirectUris": [],
> > > "webOrigins": [],
> > > "notBefore": 0,
> > > "bearerOnly": false,
> > > "consentRequired": false,
> > > "standardFlowEnabled": true,
> > > "implicitFlowEnabled": false,
> > > "directAccessGrantsEnabled": false,
> > > "serviceAccountsEnabled": false,
> > > "authorizationServicesEnabled": false,
> > > "publicClient": false,
> > > "frontchannelLogout": true,
> > > "protocol": "saml",
> > > "attributes": {
> > > "saml.assertion.signature": "false",
> > > "saml.force.post.binding": "true",
> > > "saml.multivalued.roles": "false",
> > > "saml.encrypt": "false",
> > > "saml.server.signature": "true",
> > > "saml_idp_initiated_sso_url_name": "checkmarx",
> > > "saml.server.signature.keyinfo.ext": "false",
> > > "saml.signature.algorithm": "RSA_SHA256",
> > > "saml_force_name_id_format": "false",
> > > "saml.client.signature": "false",
> > > "saml.authnstatement": "true",
> > > "saml_name_id_format": "email",
> > > "saml.onetimeuse.condition": "false",
> > > "saml_signature_canonicalization_method": "
> > > > >
http://www.w3.org/2001/10/xml-exc-c14n#",
> > >
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > "KEY_ID"
> > > },
> > > "fullScopeAllowed": false,
> > > "nodeReRegistrationTimeout": -1,
> > > "useTemplateConfig": false,
> > > "useTemplateScope": false,
> > > "useTemplateMappers": false,
> > > "access": {
> > > "view": true,
> > > "configure": true,
> > > "manage": true
> > > }
> > > ```
> > >
> > > Thank you for any help or advice on this! Cheers,
> > > Chris Byron
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >