10:33 a.m.
Hello there,
I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP
(external IdP) and I want my application to authenticate against this external IdP.
I imported the IdP Metadata of samltest into my IdP settings and exported following SP
descriptor into IdP of samltest:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp">
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol
http://schemas.xmlsoap.org/ws/2003/07/secext">
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol"
index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
While "vde-tirol" is the client-id configured in my client and the ACS-url is
the one I configured Fine Grain SAML Endpoint Configuration of my client.
After I try to access a protected ressource I get redirected to a page of samltest telling
me there went something wrong and I detected that the authnrequest sent from my IdP broker
did not have the ACS-url
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-...
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_86bcd6f8-2a66-4151-bfa1-35ad5cf5550b"
IsPassive="false" IssueInstant="2018-12-07T16:08:26.742Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
I get the following Error from openSAML:
Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location
'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol'
nor response location 'null' matched
'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint'
Do you have a clue what went wrong? Is this intended behaviour, that the
AssertionConsumerServiceURL in the AuthnRequest does not match?
Thank you in advance,
Manuel Waltschek
12:12 p.m.
New subject: WG: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
Hello,
I am sorry but am resending this because I got ignored for the third time now and I just
can't figure out what to do.
If you cannot help me on this one, please give me a step by step explanation how to
configure an application as a service provider to authenticate against an external SAML
idp (with keycloak IdP broker) since I cannot figure it out with the latest
documentation.
Thank you,
Manuel
Von: Manuel Waltschek
Gesendet: Freitag, 07. Dezember 2018 17:34
An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
Hello there,
I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP
(external IdP) and I want my application to authenticate against this external IdP.
I imported the IdP Metadata of samltest into my IdP settings and exported following SP
descriptor into IdP of samltest:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp">
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol
http://schemas.xmlsoap.org/ws/2003/07/secext">
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol"
index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
While "vde-tirol" is the client-id configured in my client and the ACS-url is
the one I configured Fine Grain SAML Endpoint Configuration of my client.
After I try to access a protected ressource I get redirected to a page of samltest telling
me there went something wrong and I detected that the authnrequest sent from my IdP broker
did not have the ACS-url
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-...
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_86bcd6f8-2a66-4151-bfa1-35ad5cf5550b"
IsPassive="false" IssueInstant="2018-12-07T16:08:26.742Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer<http://localhost:8180/auth/realms/prisma-keycloak-saml-idp%3c/saml:Issuer>>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
I get the following Error from openSAML:
Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location
'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol'
nor response location 'null' matched
'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint'
Do you have a clue what went wrong? Is this intended behaviour, that the
AssertionConsumerServiceURL in the AuthnRequest does not match?
Thank you in advance,
Manuel Waltschek
4:16 p.m.
New subject: WG: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
Hello Manuel, sorry for late response,
You did almost everything right, except for a couple of things:
- You generally don't need to modify ACS URL inside your SPSSODescriptor while
importing it into a 3rd party IdP (samltest.id in your case). This is unless you want an
IdP-initiated SSO, in which case you should follow the doc [1] (paragraph beginning with
"When using identity brokering"). I'd rather suggest that you have
SP-initiated SSO working first, which doesn't require any tweaking to SP metadata;
- You shouldn't override client's ACS URL. The ACS of a client and the ACS of
Keycloak facing 3rd party IdP are different things. Trying to substitute one for another
you will create a loopback. (Probably you did that "in accordance" with the
aforementioned paragraph, but it can be a bit misleading since it describes the process as
if Keycloak were your 3rd party IdP, not samltest.id.)
With the above, I suggest that you recreate your samltest.id IdP in Keycloak, import
metadata from https://samltest.id/saml/idp, then go to Export tab and transfer the
metadata verbatim to samltest.id. Second, undo any ACS URL modifications you've made
to the client settings. After that, you should be able to access your application and sign
in via samltest IdP.
[1] https://www.keycloak.org/docs/latest/server_admin/#idp-initiated-login
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-10 at 18:12 +0000, Manuel Waltschek wrote:
Hello,
I am sorry but am resending this because I got ignored for the third time now and I just
can't figure out what to do.
If you cannot help me on this one, please give me a step by step explanation how to
configure an application as a service provider to authenticate against an external SAML
idp (with keycloak IdP broker) since I cannot figure it out with the latest
documentation.
Thank you,
Manuel
Von: Manuel Waltschek
Gesendet: Freitag, 07. Dezember 2018 17:34
> > An: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker
Hello there,
I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP
(external IdP) and I want my application to authenticate against this external IdP.
I imported the IdP Metadata of samltest into my IdP settings and exported following SP
descriptor into IdP of samltest:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp">;
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol
http://schemas.xmlsoap.org/ws/2003/07/secext">;
<KeyDescriptor use="signing">
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
<dsig:KeyName>Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=</dsig:X5!
09Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"/>;
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol"
index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
While "vde-tirol" is the client-id configured in my client and the ACS-url is
the one I configured Fine Grain SAML Endpoint Configuration of my client.
After I try to access a protected ressource I get redirected to a page of samltest
telling me there went something wrong and I detected that the authnrequest sent from my
IdP broker did not have the ACS-url
http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-...
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_86bcd6f8-2a66-4151-bfa1-35ad5cf5550b"
IsPassive="false" IssueInstant="2018-12-07T16:08:26.742Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8180/auth/realms/prisma-keycloak-saml-idp</saml:Issuer<http://localhost:8180/auth/realms/prisma-keycloak-saml-idp%3c/saml:Issuer>>;
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
I get the following Error from openSAML:
Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location
'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol'
nor response location 'null' matched
'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint'
Do you have a clue what went wrong? Is this intended behaviour, that the
AssertionConsumerServiceURL in the AuthnRequest does not match?
Thank you in advance,
Manuel Waltschek
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2194
days inactive
2197
days old
2 comments
2 participants
participants (2)
-
Dmitry Telegin -
Manuel Waltschek