Hi,
I'm trying to integrate keycloak into a the french research federation of identity (renater) and I'm facing some problems.
Actually, when IdP respond to keycloak i'm getting the following error :
PL00084: Writer: Unsupported Attribute Value:org.keycloak.dom.saml.v2.assertion.NameIDType
It seems that this IdP is using transient NameID policy only and using the unspecified field in the idp config in keycloak generate this exception as a return.
Log of the keycloak server is joined.
I have no idea of what happening because when I was using the test federation, everything was working but no I'm in the production federation, login fails.
The renater federation is using Shibolleth and keycloak is not supported by federation moderators so I'm alone in the dark now...
Renater provides an IdP list that I have to parse and synchronized with IdP in keycloak. As a return I provide a list of all endpoints for each keycloak registered IdP to allow federation IdP to answear correctly to the right endpoint. All of this is done by a small web app deployed aside keycloak and using REST API to synchronize all the IdP.
One of the IdP entity descriptor is joined. As you can see, only transient nameid policy is supported and if I configure keycloak to use email or persistent, I received a response saying that the nameid is not supported :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" Destination="
https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" ID="_9d03761957aade819b6823c35bbab278" InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
Any help would be gracefully appreciated.
Thanks a lot, Jérôme.