2:44 a.m.
Hello,
I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is
configured to send SAML requests to our keycloak server by using the following IDP
endpoint URL: https://xxx.xx/auth/realms/Demo/protocol/saml
However, I am getting an "invalid authn request reason invalid destination" WARN
message in keycloak
After changing the log level to DEBUG. I found out that the Celoxis app is sending a SAML
with destination URL https://xxx.xx/auth/realms/Demo/protocol/saml?
It seems that a question mark was added at the end of the destination URL. Please see
DEBUG traces below. I wonder if this is the expected behavior, i.e., the question mark
added at the end of the SAML Destination URL is causing keycloak to throw an invalid authn
request error.
If this is the expected behavior, I wonder if there is any workaround to avoid this error
(perhaps ignoring destination validation?)
17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-9)
RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) SAML GET
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) SAML Redirect
Binding
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0"
IssueInstant="2019-03-28T16:06:47Z"
Destination="https://xxx/auth/realms/Demo/protocol/saml?"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Logi...
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" /></samlp:AuthnRequest>
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) verified
request
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) ** login
request
17:06:47,999 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=Demo,
clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_authn_request,
reason=invalid_destination
Thank you in advance
Kevin
[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.net...
![https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.net...](https://cdn.netguardians.ch/images/banner_new_web.jpg]%3Chttps://www.netguardians.ch/%3E){kind=link}
11:45 a.m.
Hello Kevin,
I am afraid that the only thing that I can suggest you is to change your
celoxis IDP URL configuration [1].
Cheers,
Luis
[1]
https://celoxis.atlassian.net/wiki/spaces/DOC11/pages/113704014/Single+Si...
El vie., 29 mar. 2019 a las 8:45, Kevin Perez Moreno (<
moreno(a)netguardians.ch>) escribió:
Hello,
I am currently trying to integrate Celoxis into our SSO provided by
keycloak. Celoxis is configured to send SAML requests to our keycloak
server by using the following IDP endpoint URL:
https://xxx.xx/auth/realms/Demo/protocol/saml
However, I am getting an "invalid authn request reason invalid
destination" WARN message in keycloak
After changing the log level to DEBUG. I found out that the Celoxis app is
sending a SAML with destination URL
https://xxx.xx/auth/realms/Demo/protocol/saml?
It seems that a question mark was added at the end of the destination URL.
Please see DEBUG traces below. I wonder if this is the expected behavior,
i.e., the question mark added at the end of the SAML Destination URL is
causing keycloak to throw an invalid authn request error.
If this is the expected behavior, I wonder if there is any workaround to
avoid this error (perhaps ignoring destination validation?)
17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default
task-9) SAML GET
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
SAML Redirect Binding
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0"
IssueInstant="2019-03-28T16:06:47Z" Destination="
https://xxx/auth/realms/Demo/protocol/saml?"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="
https://app.celoxis.com/psa/person.Login.do?code=netguardians
"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" /></samlp:AuthnRequest>
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
task-9) verified request
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
task-9) ** login request
17:06:47,999 WARN [org.keycloak.events] (default task-9)
type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null,
ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination
Thank you in advance
Kevin
[https://cdn.netguardians.ch/images/banner_new_web.jpg]<
https://www.netguardians.ch/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
![https://cdn.netguardians.ch/images/banner_new_web.jpg]<](https://cdn.netguardians.ch/images/banner_new_web.jpg]%3C){kind=link}
2082
days inactive
2085
days old
1 comments
2 participants
participants (2)
-
Kevin Perez Moreno -
Luis Rodríguez Fernández