Thanks, Dmitry. That said, as soon as I verified that SP-initiated
was working, the opposite failure started! After doing an SP-init login, I can no longer
perform IdP-init login because it sends the InResponseTo attribute when it should not!
Oh ZOMG. Do I get it right that:
- you're able to successfully login via SP-initiated SSO;
- then you try IDP-initiated via the " /{realm}/protocol/saml/clients/checkmarx"
special URL;
- this results in Keycloak sending SAML response with assertion to your SP (specifically,
to SP's assertion consumer URL);
- SP barfs on the irrelevant InResponseTo?
If so, probably you've found a bug. CCing our SAML guru Hynek Mlnarik.
And BTW, the situation seems to be known to other SAML implementors:
The SAML Core spec (line 1605), and the SAML profiles spec (line
634)
say that if the InResponseAttribute is present it MUST match the
value of the corresponding request's ID attribute. Further section
4.1.5 of the SAML profiles spec says that an unsolicited response
(i.e. IdP initiated), MUST NOT contain a InResposeTo attribute (line
694)
When I first log in to Keycloak I can do IdP-initiated login. If I log out of the service
I can also do SP-initiated. But after doing a successful SP-initiated login, the Keycloak
server seems to remember the SAMLRequest ID and sends it for each subsequent IdP initiated
login, that is, when I use ` /{realm}/protocol/saml/clients/checkmarx`.
This persists until I log out of Keycloak. I assume it's something obvious, but any
help would be appreciated.
Cheers,
Chris
> On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt(a)acutus.pro> wrote:
> On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> > That's a bit too advanced for me. After a few hours spent trying to learn
how to do remote debugging, I returned to code examination, and found the problem!
>
> Glad you've found the answer, and sorry for having mislead you. Nevertheless,
remote debugging is a must-have skill, I hope one day you'll make use of it and
remember this day :)
>
> > I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored the
SAMLRequest in the URL and treated it like an IdP initiated login. I should have been
sending to /{realm}/protocol/saml, not /{realm}/protocol/saml/clients/checkmarx .
>
> My bad, it was easy to overlook the suspicious Destination="..." in all
that XML. As the doc says, "SAML tends to be a bit more verbose than OIDC." (is
that "a bit" an irony?) :-D
>
> Cheers and good luck with Keycloak,
> Dmitry
>
> > > > > On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin
<dt(a)acutus.pro> wrote:
> > > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should
have said up front!)
> > >
> > > First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
not upgrading your main instance, but rather installing in parallel. There have been some
changes to the SAML subsystem since 3.4.X.
> > >
> > > > I am familiar with changing logging levels of the running service
using the jboss cli, but I don't have the ability to build and step through or set
breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let
me know! I have root on the host.)
> > >
> > > Yes, this is possible - just rerun Keycloak with the "--debug"
option, it will open a listener on port 8787 (use "--debug <port>" to
override).
> > >
> > > Then forward this port to your box via SSH and use your favorite IDE
to attach debugger to localhost:8787 using dt_socket transport (it could be also called
"SocketAttach connector"). Also, obviously, you'll need to checkout the
source tree.
> > >
> > > Basically, you'll need to determine which code path Keycloak takes to
generate the response, and, after that, try to understand why the attribute is omitted.
> > >
> > > Good luck!
> > > Dmitry
> > >
> > > >
> > > > I doubt this helps, but here is the SAMLResponse from the
Request posted previously:
> > > > ```
> > > > <samlp:Response
Destination="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > >
<
saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer...;
> > > > > <dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;;;
> > > > <dsig:SignedInfo><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsi...
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > > <dsig:Reference
URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > > > <dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds...
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > > >
<dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > > > </dsig:Reference>
> > > > </dsig:SignedInfo>
> > > >
<dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > > > <dsig:KeyInfo>
> > > >
<dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > > > <dsig:X509Data>
> > > >
<dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > > </dsig:X509Data>
> > > > <dsig:KeyValue>
> > > > <dsig:RSAKeyValue>
> > > >
<dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > > > <dsig:Exponent>AQAB</dsig:Exponent>
> > > > </dsig:RSAKeyValue>
> > > > </dsig:KeyValue>
> > > > </dsig:KeyInfo>
> > > > </dsig:Signature>
> > > > <samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > > <saml:Assertion
ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
IssueInstant="2018-07-20T23:39:37.055Z"
> > > > Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > >
<
saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer...;
> > > > <saml:Subject>
> > > > > > > > > <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chris.byron@corp.com</saml:NameID>
> > > > <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > >
Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"/&...;
> > > > </saml:Subject>
> > > > <saml:Conditions
NotBefore="2018-07-20T23:39:35.055Z"
NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > > <saml:AudienceRestriction>
> > > >
<saml:Audience>https://checkmarx.corp.net</saml:Audience>;;;
> > > > </saml:AudienceRestriction>
> > > > </saml:Conditions>
> > > > <saml:AuthnStatement
AuthnInstant="2018-07-20T23:39:37.055Z"
> > > >
SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > > <saml:AuthnContext>
> > > >
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > > > </saml:AuthnContext>
> > > > </saml:AuthnStatement>
> > > > <saml:AttributeStatement>
> > > > <saml:Attribute FriendlyName="Last name"
Name="Last_Name"
> > > >
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > >
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Byron</saml:AttributeValue>
> > > > </saml:Attribute>
> > > > <saml:Attribute FriendlyName="First name"
Name="First_Name"
> > > >
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > >
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Chris</saml:AttributeValue>
> > > > </saml:Attribute>
> > > > <saml:Attribute FriendlyName="Email"
Name="Email"
> > > >
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > >
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.byron@corp.com</saml:AttributeValue>
> > > > </saml:Attribute>
> > > > </saml:AttributeStatement>
> > > > </saml:Assertion>
> > > > </samlp:Response>
> > > > ```
> > > >
> > > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin
<dt(a)acutus.pro> wrote:
> > > > > Hi Chris,
> > > > >
> > > > > According to the code, an InResponseTo attribute should be added
to the response unconditionally:
> > > > >
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/...
> > > > >
> > > > > If you're familiar with debugging, could you please check if
this code point is reached? If yes, is the InResponseTo value not null?
> > > > >
> > > > > Also, which version of Keycloak are you using?
> > > > >
> > > > > Cheers,
> > > > > Dmitry Telegin
> > > > > CTO, Acutus s.r.o.
> > > > > Keycloak Consulting and Training
> > > > >
> > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > +42 (022) 888-30-71
> > > > > E-mail: info(a)acutus.pro
> > > > >
> > > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > > Good morning. I'm trying to debug an issue where my
Keycloak IdP does not
> > > > > > include an InResponseTo attribute in the SAMLResponse after
an SP-initiated
> > > > > > login. Are there certain conditions in the Request that
need to be
> > > > > > satisfied before it will be included? Or certain client
configurations in
> > > > > > Keycloak?
> > > > > >
> > > > > > The SAMLRequest from the SP:
> > > > > > ```
> > > > > > <saml2p:AuthnRequest
> > > > > > AssertionConsumerServiceURL="
> > > > > > > > > > > >
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > > AttributeConsumingServiceIndex="0"
> > > > > > Destination="
> > > > > >
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx...
> > > > > > ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > > IssueInstant="2018-07-20T23:39:36Z"
Version="2.0"
> > > > > >
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > >
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > >
<saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;;
> > > > > > </saml2p:AuthnRequest>
> > > > > > ```
> > > > > >
> > > > > > Keycloak client configuration:
> > > > > > ```
> > > > > > {
> > > > > > "id":
"9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > > > > > > "clientId":
"https://checkmarx.corp.net",
> > > > > > "rootUrl": "",
> > > > > > > "adminUrl":
"https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > > > > "baseUrl":
"/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > > "surrogateAuthRequired": false,
> > > > > > "enabled": true,
> > > > > > "clientAuthenticatorType":
"client-secret",
> > > > > > "redirectUris": [],
> > > > > > "webOrigins": [],
> > > > > > "notBefore": 0,
> > > > > > "bearerOnly": false,
> > > > > > "consentRequired": false,
> > > > > > "standardFlowEnabled": true,
> > > > > > "implicitFlowEnabled": false,
> > > > > > "directAccessGrantsEnabled": false,
> > > > > > "serviceAccountsEnabled": false,
> > > > > > "authorizationServicesEnabled": false,
> > > > > > "publicClient": false,
> > > > > > "frontchannelLogout": true,
> > > > > > "protocol": "saml",
> > > > > > "attributes": {
> > > > > > "saml.assertion.signature":
"false",
> > > > > > "saml.force.post.binding": "true",
> > > > > > "saml.multivalued.roles": "false",
> > > > > > "saml.encrypt": "false",
> > > > > > "saml.server.signature": "true",
> > > > > > "saml_idp_initiated_sso_url_name":
"checkmarx",
> > > > > > "saml.server.signature.keyinfo.ext":
"false",
> > > > > > "saml.signature.algorithm":
"RSA_SHA256",
> > > > > > "saml_force_name_id_format":
"false",
> > > > > > "saml.client.signature": "false",
> > > > > > "saml.authnstatement": "true",
> > > > > > "saml_name_id_format": "email",
> > > > > > "saml.onetimeuse.condition":
"false",
> > > > > > "saml_signature_canonicalization_method":
"
> > > > > > > > > > > >
http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > > >
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > > > "KEY_ID"
> > > > > > },
> > > > > > "fullScopeAllowed": false,
> > > > > > "nodeReRegistrationTimeout": -1,
> > > > > > "useTemplateConfig": false,
> > > > > > "useTemplateScope": false,
> > > > > > "useTemplateMappers": false,
> > > > > > "access": {
> > > > > > "view": true,
> > > > > > "configure": true,
> > > > > > "manage": true
> > > > > > }
> > > > > > ```
> > > > > >
> > > > > > Thank you for any help or advice on this! Cheers,
> > > > > > Chris Byron
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user(a)lists.jboss.org
> > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > >