Re: [keycloak-user] SAML doesn't work when logging in through Identity Providers

On Feb 6, 2018, at 1:51 PM, Drew Weirshousky <d.weirshousky(a)xsb.com&gt; wrote: Hi Kristi, I believe there are some fixes coming for SAML in Keycloak 4.0 related to this. I am assuming you are using Keycloak > 3.2. Drew Weirshousky ----- Original Message ----- From: "Kristi Nikolla" <knikolla(a)bu.edu&gt; To: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Tuesday, February 6, 2018 1:26:14 PM Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers Hi, I’ve recently setup Keycloak for SSO in our organization. I’m using two docker containers in standalone-ha with Apache as a proxy. I’ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients. The issue is when using a SAML client. Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method. It doesn’t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.” The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak. The only thing that I see in the logs is: 21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code Even turning on debug logging doesn’t provide anything useful. Thank you, Kristi Nikolla _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user