11:11 a.m.
Hi Chris,
According to the code, an InResponseTo attribute should be added to the response
unconditionally:
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/...
If you're familiar with debugging, could you please check if this code point is
reached? If yes, is the InResponseTo value not null?
Also, which version of Keycloak are you using?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
Good morning. I'm trying to debug an issue where my Keycloak IdP
does not
include an InResponseTo attribute in the SAMLResponse after an SP-initiated
login. Are there certain conditions in the Request that need to be
satisfied before it will be included? Or certain client configurations in
Keycloak?
The SAMLRequest from the SP:
```
<saml2p:AuthnRequest
AssertionConsumerServiceURL="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
AttributeConsumingServiceIndex="0"
Destination="
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx...
ID="idda5349fbbbf9483a91ec1531e52933a6"
IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
</saml2p:AuthnRequest>
```
Keycloak client configuration:
```
{
"id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> "clientId": "https://checkmarx.corp.net",
"rootUrl": "",
> "adminUrl":
"https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
"baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"authorizationServicesEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "true",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"saml.server.signature": "true",
"saml_idp_initiated_sso_url_name": "checkmarx",
"saml.server.signature.keyinfo.ext": "false",
"saml.signature.algorithm": "RSA_SHA256",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"saml.authnstatement": "true",
"saml_name_id_format": "email",
"saml.onetimeuse.condition": "false",
"saml_signature_canonicalization_method": "
http://www.w3.org/2001/10/xml-exc-c14n#";,
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
"KEY_ID"
},
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": -1,
"useTemplateConfig": false,
"useTemplateScope": false,
"useTemplateMappers": false,
"access": {
"view": true,
"configure": true,
"manage": true
}
```
Thank you for any help or advice on this! Cheers,
Chris Byron
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user