Thanks.

 

When we attempt to authenticate using keycloak 2.2.0_final, we get the following log entries on the Keycloak server:

 

2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default task-1) XML External Entity switches are not supported.  You may get XML injection vulnerabilities.

2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService] (default task-1) request validation failed: org.keycloak.common.VerificationException: Invalid signature on document

                at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:57)

                at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:50)

                at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.verifySignature(SamlService.java:405)

                at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:186)

                at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:428)

                at org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:504)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                at java.lang.reflect.Method.invoke(Method.java:498)

                at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

                at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)

                at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)

                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)

                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)

                at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)

                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

                at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)

                at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

                at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

                at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)

                at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

                at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

                at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

                at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

                at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

                at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

                at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

                at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

                at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

                at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

                at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)

                at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)

                at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

                at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)

                at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

                at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

                at java.lang.Thread.run(Thread.java:745)

 

2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null, ipAddress=192.168.33.51, error=invalid_signature

 

I have verified that the keys on the client match the server.  Does the XML External Entities have something to do with this?

 

Any help is appreciated.

 

Thanks,

Bill

 

From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Thursday, September 08, 2016 2:31 AM
To: Bill Kuntz
Cc: keycloak-user@lists.jboss.org
Subject: Re: [keycloak-user] Keycloak with EZproxy

 

Not sure what they mean about "authentication sequence identical to a standard Shibboleth Identity Provider", but Keycloak is pretty configurable so it should be possible to adapt the SAML configuration for the client to make it work with EZProxy.

 

On 1 September 2016 at 17:47, Bill Kuntz <WKuntz@flvc.org> wrote:

Has anyone successfully used Keycloak with OCLC's EZProxy?  We have been experimenting with Keycloak, and have been able to get it working with other SPs, but not EZProxy.

OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO systems if and only if that system uses an authentication sequence identical to a standard Shibboleth Identity Provider (IDP)."

Thanks,
Bill


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user